Re: How to get a stats count against the sourcetyp...

ehaile · ‎07-28-2015

I have a lookup table that consists of 5 fields (index, sourcetype, description, owner, os). I would like to perform a stats count against the sourcetype, while listing all the other fields in the lookup table. However, I cannot figure out how to search against my data to populate the stats count by sourcetype. Below is the search I have created.

|inputlookup Sourctype.csv|fields + index, sourcetype, desc, owner, os|stats count by sourcetype, index, desc, os

somesoni2 · ‎08-06-2015

I believe you need something like this

 |inputlookup Sourctype.csv|fields + index, sourcetype, desc, owner, os|eventstats count by sourcetype

THis will just a new columns count with count based on sourcetype, keeping all rows together.

woodcock · ‎07-28-2015

Like this:

|inputlookup Sourctype.csv |stats values(*) BY sourcetype | appendcols [|inputlookup Sourctype.csv |stats dc(sourcetype)]

woodcock · ‎08-06-2015

I am not exactly sure what you are trying to get but maybe like this:

| inputlookup Sourctype.csv | stats count values(*) BY sourcetype

This counts the number of lines that contain each sourcetype and lists the values of the other fields, too.

ehaile · ‎08-06-2015

Thanks Woodcock for your response.

Unfortunately I'm only getting a count for the first row , as a opposed to each row.

How would I go about getting a stats count for each row as well?

How to get a stats count against the sourcetype from lookup table while listing all other fields?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms