Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate distinct count with condition?

LearningGuy
Motivator
‎11-01-2023 07:20 AM

Hello,

How to calculate distinct count with condition?

How to calculate unique vuln that has score >0, group by ip?

Before calculation

ipvulnscore
1.1.1.1vuln10
1.1.1.1vuln10
1.1.1.1vuln23
1.1.1.1vuln23
1.1.1.1vuln23
1.1.1.1vuln37
1.1.1.1vuln37
2.2.2.2vuln10
2.2.2.2vuln40
2.2.2.2vuln55
2.2.2.2vuln55


After calculation

ipdc(vuln)dc(vuln) score > 0
1.1.1.132
2.2.2.231



Thank you so much

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-01-2023 07:26 AM 
| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all by ip

View solution in original post

Reply
Solved! Jump to solution

LearningGuy
Motivator
‎11-01-2023 12:47 PM

Wow, it worked..    I will accept this as solution.   Thank you so much
What did the "eval if" part do?
if score > 0, then include the vuln, if not assign null function, which means DC will ignore it?

eval(if(score > 0,vuln,null()))

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-01-2023 03:54 PM

Correct, null values (as returned by the null() function) are ignored by the dc() function

Reply
Solved! Jump to solution

LearningGuy
Motivator
‎11-01-2023 06:30 PM

Hello @ITWhisperer 
How do I calculate sum of unique vuln that has score >0?   
in my mind, it's like this: sum (dc(vuln) score > 0)    but when i tried it, it didn't work

ipdc(vuln)dc(vuln) score > 0sum (dc(vuln) score > 0)
1.1.1.13210
2.2.2.2315


Thank you so much

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-02-2023 01:46 AM 
| stats values(score) as score by ip vuln
| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all sum(score) as total_score by ip
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-01-2023 07:26 AM 
| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all by ip
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...