Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to distinct count and separate by type?

vitorvmiguel
Explorer
‎06-02-2015 10:39 AM

I need to make a distinct count of clients and together count what clients had at least one error message?

I have client code, and type success, warning and error, and the same client makes multiple transactions, so i need to count how many distinct clients i have, and if this distinct clients had some error, count only one error per client. I don´t want to use append to keep my search light. Any suggestions?

stats distinct_count(eval(clientcode)) as UniqueClient...

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎06-02-2015 12:15 PM

Lots of ways to do this.

| eval is_not_success=if(match(type,"I"),0,1)
| stats sum(is_not_success) AS error_warn_count by clientcode
| stats count AS TotalDistinctClients, count(eval(error_warn_count>0)) AS DistinctClientsWithErrors

Apologies about the weird negation on "is_not_success" but it is necessary for the "sum".

View solution in original post

Reply
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎06-02-2015 12:15 PM

Lots of ways to do this.

| eval is_not_success=if(match(type,"I"),0,1)
| stats sum(is_not_success) AS error_warn_count by clientcode
| stats count AS TotalDistinctClients, count(eval(error_warn_count>0)) AS DistinctClientsWithErrors

Apologies about the weird negation on "is_not_success" but it is necessary for the "sum".

Reply
Solved! Jump to solution

vitorvmiguel
Explorer
‎06-03-2015 08:28 AM

It worked! Thanks

0 Karma
Reply
Solved! Jump to solution

Thomas_Aneiro
Explorer
‎06-02-2015 11:05 AM

Would something like this work for you?

eventtype=*  | eventstats dc(user) as userCount | dedup user, error | table user, error, userCount
0 Karma
Reply
Solved! Jump to solution

vitorvmiguel
Explorer
‎06-02-2015 11:22 AM

What is this eventtype=* ? My event field is called "tipo", and its possible values are Error, Success, Warning

0 Karma
Reply
Solved! Jump to solution

Thomas_Aneiro
Explorer
‎06-02-2015 11:25 AM

You can disregard this, I was simply using "Eventtype=*" as a place holder for the search. You probably want a search closer to the following.

index="raw_internet" produto="1" pessoa="F" date_hour!=0 | eventstats dc(user) as userCount | dedup user, tipo | table user, tipo, userCount
0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎06-02-2015 10:49 AM

Can you post a sample event? At present, it looks like the eval in count is unnecessary.

0 Karma
Reply
Solved! Jump to solution

vitorvmiguel
Explorer
‎06-02-2015 11:07 AM

I don´t have any sample, because i´ve tested a ton of functions and none of them took the desirable result, here is my actual querie searching only the disctinct clients, so beside that i have a field type that has 3 possible values E (Error), W (Warning) and I (Success), so i need to filter inside those unique clients who faced an error.

index="raw_internet" produto="1" pessoa="F" date_hour!=0 | stats distinct_count(codigoAcesso) as ClientesUnicos

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top