Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get stats based on multiple values for a single source?

Nidheesh
Explorer
‎08-06-2018 06:25 AM

I have 3 sources source1, source2, source3 and 5 sourcetypes sourcetype1, sourcetype2, sourcetype3, sourcetype4, sourcetype5 for a single host host1.

Where sourcetype1 belongs exclusively to source1 and sourcetype2 to source2 but source3 has 3 sourcetypes; sourcetype3, sourcetype4 and sourcetype5.

Likewise, I have 2 sources source4, source5 and 3 sourcetypes sourcetype6, sourcetype7, sourcetype8 for another host host2. With source4 having sourcetype6 and source5 having sourcetype7 and sourcetype8.

I wish to have a stats count like this:

        ---------------------------------------
        host         source      sourcetype
        ---------------------------------------
        host1       source1     sourcetype1
        host1       source2     sourcetype2
        host1       source3     sourcetype3
        host1       source3     sourcetype4
        host1       source3     sourcetype5
        host2       source4     sourcetype6
        host2       source5     sourcetype7
        host2       source5     sourcetype8

Can someone please help?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎08-06-2018 06:44 AM

maybe try this:

.... | stats values(sourcetype) as v_sourcetype by source host

View solution in original post

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎08-06-2018 07:16 AM

It shouldn't be that simple but what's missing from

"your search"|stats count by host,source,sourcetype
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-06-2018 10:28 AM

It is that simple. Or, at least, that meets the request the OP wrote up.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎08-06-2018 06:45 AM

try below if you want count:

...|stats count by sourcetype

and if you want all values as well then try:

...|stats values(*) as * count by sourcetype
Reply
Solved! Jump to solution

Nidheesh
Explorer
‎08-06-2018 10:41 AM

Thank you 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎08-06-2018 06:44 AM

maybe try this:

.... | stats values(sourcetype) as v_sourcetype by source host

0 Karma
Reply
Solved! Jump to solution

Nidheesh
Explorer
‎08-06-2018 10:40 AM

Thank you Adonio. It worked.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...