Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to distinct count and separate by type?

vitorvmiguel
Explorer
‎06-02-2015 10:39 AM

I need to make a distinct count of clients and together count what clients had at least one error message?

I have client code, and type success, warning and error, and the same client makes multiple transactions, so i need to count how many distinct clients i have, and if this distinct clients had some error, count only one error per client. I don´t want to use append to keep my search light. Any suggestions?

stats distinct_count(eval(clientcode)) as UniqueClient...

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎06-02-2015 12:15 PM

Lots of ways to do this.

| eval is_not_success=if(match(type,"I"),0,1)
| stats sum(is_not_success) AS error_warn_count by clientcode
| stats count AS TotalDistinctClients, count(eval(error_warn_count>0)) AS DistinctClientsWithErrors

Apologies about the weird negation on "is_not_success" but it is necessary for the "sum".

View solution in original post

Reply
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎06-02-2015 12:15 PM

Lots of ways to do this.

| eval is_not_success=if(match(type,"I"),0,1)
| stats sum(is_not_success) AS error_warn_count by clientcode
| stats count AS TotalDistinctClients, count(eval(error_warn_count>0)) AS DistinctClientsWithErrors

Apologies about the weird negation on "is_not_success" but it is necessary for the "sum".

Reply
Solved! Jump to solution

vitorvmiguel
Explorer
‎06-03-2015 08:28 AM

It worked! Thanks

0 Karma
Reply
Solved! Jump to solution

Thomas_Aneiro
Explorer
‎06-02-2015 11:05 AM

Would something like this work for you?

eventtype=*  | eventstats dc(user) as userCount | dedup user, error | table user, error, userCount
0 Karma
Reply
Solved! Jump to solution

vitorvmiguel
Explorer
‎06-02-2015 11:22 AM

What is this eventtype=* ? My event field is called "tipo", and its possible values are Error, Success, Warning

0 Karma
Reply
Solved! Jump to solution

Thomas_Aneiro
Explorer
‎06-02-2015 11:25 AM

You can disregard this, I was simply using "Eventtype=*" as a place holder for the search. You probably want a search closer to the following.

index="raw_internet" produto="1" pessoa="F" date_hour!=0 | eventstats dc(user) as userCount | dedup user, tipo | table user, tipo, userCount
0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎06-02-2015 10:49 AM

Can you post a sample event? At present, it looks like the eval in count is unnecessary.

0 Karma
Reply
Solved! Jump to solution

vitorvmiguel
Explorer
‎06-02-2015 11:07 AM

I don´t have any sample, because i´ve tested a ton of functions and none of them took the desirable result, here is my actual querie searching only the disctinct clients, so beside that i have a field type that has 3 possible values E (Error), W (Warning) and I (Success), so i need to filter inside those unique clients who faced an error.

index="raw_internet" produto="1" pessoa="F" date_hour!=0 | stats distinct_count(codigoAcesso) as ClientesUnicos

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
Top