Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get field count rather than stats count?

summitsplunk
Communicator
‎05-09-2019 01:36 PM

Here's my query:

index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats count by devtype

What I want to do is get something like this :

devtype

iphone 100
windows 105
Android 200

I don't want stats on all of the events. I just want the totals of of all the possibilities for the devtype Field. How would I write this?

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-10-2019 10:09 PM

Like this:

index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype)
0 Karma
Reply

PowerPacked
Builder
‎05-09-2019 04:05 PM

Hi

Are you looking for this

index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats count(devtype) as count

& if you are looking for distinct count - index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype)
but this only gives the unique values & count of devtype field which is not you are looking for i guess.

Thanks

Reply

summitsplunk
Communicator
‎05-10-2019 02:33 PM

Yeah what you said "index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype)
but this only gives the unique values & count of devtype field" is exactly right. So I was asking the question sort of wrong.

ultimately my query ended up looking like this to give me my desired output:
index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(src_mac) by devtype

which give me a count of src_mac and groups them by devtype

0 Karma
Reply

Vijeta
Influencer
‎05-09-2019 02:23 PM

@summitsplunk Can you be more clear, looking at the desired output you have shared your query looks correct , do you have some sample data with output example?

0 Karma
Reply

summitsplunk
Communicator
‎05-09-2019 02:28 PM

Figured it out. So I just didn't know how to ask the question but with some googling I found the write term which is "Distinct Count"... Basically I wanted to get a distinct count of each field. Like seen in this article:

https://answers.splunk.com/answers/46241/how-can-i-retrieve-count-or-distinct-count-of-some-field-va...

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...