Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get count by unique value?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get count by unique value?
vel4ever
New Member
04-13-2020
06:36 PM
Hi,
I am new to Splunk. I have below log which is capturing product id,
Header product-id, 12345678900
Header product-id, 12345678901
Header product-id, 12345678900
I would like to group by unique product id and count,
12345678900 2
12345678901 1
Here product-id is not a field in splunk. How can write a query for this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
04-14-2020
10:22 AM
Use rex command.
| rex "product-id,\s(?<product_id>[\d\.]+)" | stats count by product_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harishalipaka
Motivator
04-14-2020
03:44 AM
hi @vel4ever
try this
| makeresults
| eval raw="Header product-id, 12345678900"
|eval ID=mvindex(split(raw," "),-1) |stats count by ID
Thanks
Harish
Harish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vel4ever
New Member
04-14-2020
09:55 AM
I am not getting any results for this query. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jpolvino
Builder
04-13-2020
07:35 PM
If your log is literally lines like Header product-id, 12345678900 then you can extract the last value (assuming all digits) and stats-by on that.
Example:
(your search)
| rex "Header product-id, (<productId>\d+)"
| stats count by productId
If this doesn't work, please post the actual events you get back and I'm sure people here can help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vel4ever
New Member
04-14-2020
09:55 AM
I am getting error while running this query. And product-id could be decimal value too, ex: 123.4567.8900. Thanks
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
