Splunk Search

How to edit my search to create a table listing specific fields and a stats count?

jdepp
Path Finder

I am trying to display a table that lists specific fields, but also a stats count of one of the fields. It works, but then one of the remaining fields does not display anything.

Search String

source="/data.cycletimes/tcp/10039" | stats sum(totalPosts) as "Total New Posts" by user | rename startDate as "First Post"   | table user, "First Post" ,"Total New Posts

In the above all columns display the total except the "First Post" field. Also I would like to group it by user so that each user only appears once.
I get it to work with this search, but then user appears more than once.

source="/data.cycletimes/tcp/10039" | stats sum(totalPosts) as "Total New Posts" by user, startDate | rename startDate as "First Post"   | table user, "First Post" ,"Total New Posts"

Appreciate any response and help.

alt text

Tags (4)
0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

source="/data.cycletimes/tcp/10039" | stats first(startDate) as "First Post" sum(totalPosts) as "Total New Posts"  by user

View solution in original post

somesoni2
Revered Legend

Try like this

source="/data.cycletimes/tcp/10039" | stats first(startDate) as "First Post" sum(totalPosts) as "Total New Posts"  by user

jdepp
Path Finder

thanks. Appreciate it

0 Karma