- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get field count rather than stats count...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get field count rather than stats count?
Here's my query:
index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats count by devtype
What I want to do is get something like this :
devtype
iphone 100
windows 105
Android 200
I don't want stats on all of the events. I just want the totals of of all the possibilities for the devtype Field. How would I write this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Are you looking for this
index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats count(devtype) as count
& if you are looking for distinct count - index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype)
but this only gives the unique values & count of devtype field which is not you are looking for i guess.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah what you said "index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype)
but this only gives the unique values & count of devtype field" is exactly right. So I was asking the question sort of wrong.
ultimately my query ended up looking like this to give me my desired output:
index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(src_mac) by devtype
which give me a count of src_mac and groups them by devtype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@summitsplunk Can you be more clear, looking at the desired output you have shared your query looks correct , do you have some sample data with output example?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out. So I just didn't know how to ask the question but with some googling I found the write term which is "Distinct Count"... Basically I wanted to get a distinct count of each field. Like seen in this article:
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
