How to get count by unique value?

vel4ever · ‎04-13-2020

Hi,

I am new to Splunk. I have below log which is capturing product id,

Header product-id, 12345678900
Header product-id, 12345678901
Header product-id, 12345678900

I would like to group by unique product id and count,

12345678900 2
12345678901 1

Here product-id is not a field in splunk. How can write a query for this?

manjunathmeti · ‎04-14-2020

Use rex command.

 | rex "product-id,\s(?<product_id>[\d\.]+)" | stats count by product_id

harishalipaka · ‎04-14-2020

hi @vel4ever

try this

| makeresults 
 | eval raw="Header product-id, 12345678900" 
 |eval ID=mvindex(split(raw," "),-1) |stats count by ID

Thanks
Harish

vel4ever · ‎04-14-2020

I am not getting any results for this query. Thanks.

jpolvino · ‎04-13-2020

If your log is literally lines like Header product-id, 12345678900 then you can extract the last value (assuming all digits) and stats-by on that.

Example:

(your search)
| rex "Header product-id, (<productId>\d+)"
| stats count by productId

If this doesn't work, please post the actual events you get back and I'm sure people here can help!

vel4ever · ‎04-14-2020

I am getting error while running this query. And product-id could be decimal value too, ex: 123.4567.8900. Thanks

Are you a member of the Splunk Community?