Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get count of field values?

karthi2809
Builder
‎05-06-2024 08:40 AM

Hi All,

 

How to count field values.The field extracted and showing 55 .When i use below query:

| stats count by content.scheduleDetails.lastRunTime

it will give all the values with counts

| stats dc(content.scheduleDetails.lastRunTime) AS lastRunTime

its showing 55 counts.
my output as:

content.scheduleDetails.lastRunTime     Count
02/FEB/2024 08:22:19 AM 9
02/FEB/2024 08:21:19 AM 63
03/FEB/2024 08:22:19 AM 7

 

Expected output as only total count of the field:

79

 

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-06-2024 09:03 AM

Hi

If you want only total count then just drop "by ..."  away from your 1st example.

If needed add 

| where isnotnull(content.scheduleDetails.lastRunTime)

before stats.

r. Ismo

0 Karma
Reply

karthi2809
Builder
‎05-06-2024 09:12 AM

Hi @isoutamo 

If i use | stats Count  i am getting value .But i want to show in pie chart. So i checked in the visualization it showing as no result.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-06-2024 10:47 AM

Well, you can't show a single value in a pie chart. It makes no sense 🙂

So think about what you really want counted.

Also remember that the counting aggregation functions over specific fields (count and dc) count each value even within multivalued fields. That can produce results you'd not expect.

A run-anywhere example:

| makeresults count=100
| streamstats count
| eval count=tostring(count)
| eval digits=split(count,"")
| stats count as eventcount count(digits) as digitcount

It will generate a list of 100 numbers, then it will split the numbers rendered into text into separate digits. And finally it will count both the overall events (which predictably will be 100 since that's how many events we generated) and digits which will say 192 because you had 9 single-digit numbers, 90 two-digit numbers and one three-digit number which got split into 192 single digits spread among 100 events.

So be wary when using the count() and dc() aggregation functions.

Reply

karthi2809
Builder
‎05-08-2024 06:09 AM

Hi @PickleRick 

As i tried by condition .So its showing as by the correlationId.But i want to show the count of lastRunTime field count.If i use lastRunTime  the chart will show all the counts.But i need to club all the values into one.Below the query and i need to show values as 

LastRunTimeCount - 79 in the pie chart

content..lastRunTime="*" content.lastRunTime!="NA"  
[search index="Test" applicationName="scheduler" content.lastRunTime="*"  content.lastRunTime!="NA" | stats latest(correlationId) as correlationId | table correlationId|format]|rename content.lastRunTime as LastRunTimeCount | stats Count(LastRunTimeCount) as total by correlationId

 

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top