Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get field count rather than stats count?

summitsplunk
Communicator
‎05-09-2019 01:36 PM

Here's my query:

index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats count by devtype

What I want to do is get something like this :

devtype

iphone 100
windows 105
Android 200

I don't want stats on all of the events. I just want the totals of of all the possibilities for the devtype Field. How would I write this?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-10-2019 10:09 PM

Like this:

index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype)
0 Karma
Reply

PowerPacked
Builder
‎05-09-2019 04:05 PM

Hi

Are you looking for this

index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats count(devtype) as count

& if you are looking for distinct count - index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype)
but this only gives the unique values & count of devtype field which is not you are looking for i guess.

Thanks

Reply

summitsplunk
Communicator
‎05-10-2019 02:33 PM

Yeah what you said "index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype)
but this only gives the unique values & count of devtype field" is exactly right. So I was asking the question sort of wrong.

ultimately my query ended up looking like this to give me my desired output:
index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(src_mac) by devtype

which give me a count of src_mac and groups them by devtype

0 Karma
Reply

Vijeta
Influencer
‎05-09-2019 02:23 PM

@summitsplunk Can you be more clear, looking at the desired output you have shared your query looks correct , do you have some sample data with output example?

0 Karma
Reply

summitsplunk
Communicator
‎05-09-2019 02:28 PM

Figured it out. So I just didn't know how to ask the question but with some googling I found the write term which is "Distinct Count"... Basically I wanted to get a distinct count of each field. Like seen in this article:

https://answers.splunk.com/answers/46241/how-can-i-retrieve-count-or-distinct-count-of-some-field-va...

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...