Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get count of field values?

karthi2809
Builder
‎05-06-2024 08:40 AM

Hi All,

 

How to count field values.The field extracted and showing 55 .When i use below query:

| stats count by content.scheduleDetails.lastRunTime

it will give all the values with counts

| stats dc(content.scheduleDetails.lastRunTime) AS lastRunTime

its showing 55 counts.
my output as:

content.scheduleDetails.lastRunTime     Count
02/FEB/2024 08:22:19 AM 9
02/FEB/2024 08:21:19 AM 63
03/FEB/2024 08:22:19 AM 7

 

Expected output as only total count of the field:

79

 

Labels (2)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-06-2024 09:03 AM

Hi

If you want only total count then just drop "by ..."  away from your 1st example.

If needed add 

| where isnotnull(content.scheduleDetails.lastRunTime)

before stats.

r. Ismo

0 Karma
Reply

karthi2809
Builder
‎05-06-2024 09:12 AM

Hi @isoutamo 

If i use | stats Count  i am getting value .But i want to show in pie chart. So i checked in the visualization it showing as no result.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-06-2024 10:47 AM

Well, you can't show a single value in a pie chart. It makes no sense 🙂

So think about what you really want counted.

Also remember that the counting aggregation functions over specific fields (count and dc) count each value even within multivalued fields. That can produce results you'd not expect.

A run-anywhere example:

| makeresults count=100
| streamstats count
| eval count=tostring(count)
| eval digits=split(count,"")
| stats count as eventcount count(digits) as digitcount

It will generate a list of 100 numbers, then it will split the numbers rendered into text into separate digits. And finally it will count both the overall events (which predictably will be 100 since that's how many events we generated) and digits which will say 192 because you had 9 single-digit numbers, 90 two-digit numbers and one three-digit number which got split into 192 single digits spread among 100 events.

So be wary when using the count() and dc() aggregation functions.

Reply

karthi2809
Builder
‎05-08-2024 06:09 AM

Hi @PickleRick 

As i tried by condition .So its showing as by the correlationId.But i want to show the count of lastRunTime field count.If i use lastRunTime  the chart will show all the counts.But i need to club all the values into one.Below the query and i need to show values as 

LastRunTimeCount - 79 in the pie chart

content..lastRunTime="*" content.lastRunTime!="NA"  
[search index="Test" applicationName="scheduler" content.lastRunTime="*"  content.lastRunTime!="NA" | stats latest(correlationId) as correlationId | table correlationId|format]|rename content.lastRunTime as LastRunTimeCount | stats Count(LastRunTimeCount) as total by correlationId

 

0 Karma
Reply
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...