Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get count of field values?

karthi2809
Builder
‎05-06-2024 08:40 AM

Hi All,

 

How to count field values.The field extracted and showing 55 .When i use below query:

| stats count by content.scheduleDetails.lastRunTime

it will give all the values with counts

| stats dc(content.scheduleDetails.lastRunTime) AS lastRunTime

its showing 55 counts.
my output as:

content.scheduleDetails.lastRunTime     Count
02/FEB/2024 08:22:19 AM 9
02/FEB/2024 08:21:19 AM 63
03/FEB/2024 08:22:19 AM 7

 

Expected output as only total count of the field:

79

 

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-06-2024 09:03 AM

Hi

If you want only total count then just drop "by ..."  away from your 1st example.

If needed add 

| where isnotnull(content.scheduleDetails.lastRunTime)

before stats.

r. Ismo

0 Karma
Reply

karthi2809
Builder
‎05-06-2024 09:12 AM

Hi @isoutamo 

If i use | stats Count  i am getting value .But i want to show in pie chart. So i checked in the visualization it showing as no result.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-06-2024 10:47 AM

Well, you can't show a single value in a pie chart. It makes no sense 🙂

So think about what you really want counted.

Also remember that the counting aggregation functions over specific fields (count and dc) count each value even within multivalued fields. That can produce results you'd not expect.

A run-anywhere example:

| makeresults count=100
| streamstats count
| eval count=tostring(count)
| eval digits=split(count,"")
| stats count as eventcount count(digits) as digitcount

It will generate a list of 100 numbers, then it will split the numbers rendered into text into separate digits. And finally it will count both the overall events (which predictably will be 100 since that's how many events we generated) and digits which will say 192 because you had 9 single-digit numbers, 90 two-digit numbers and one three-digit number which got split into 192 single digits spread among 100 events.

So be wary when using the count() and dc() aggregation functions.

Reply

karthi2809
Builder
‎05-08-2024 06:09 AM

Hi @PickleRick 

As i tried by condition .So its showing as by the correlationId.But i want to show the count of lastRunTime field count.If i use lastRunTime  the chart will show all the counts.But i need to club all the values into one.Below the query and i need to show values as 

LastRunTimeCount - 79 in the pie chart

content..lastRunTime="*" content.lastRunTime!="NA"  
[search index="Test" applicationName="scheduler" content.lastRunTime="*"  content.lastRunTime!="NA" | stats latest(correlationId) as correlationId | table correlationId|format]|rename content.lastRunTime as LastRunTimeCount | stats Count(LastRunTimeCount) as total by correlationId

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top