Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to retrieve time\date after distinct count search?

abovebeyond
Communicator
‎12-27-2015 08:35 AM

Hi,

My search is:

mysearch |  stats dc(Errorcode) as Errors By Name

I want to get results for 2 options:

option 1: adding date to the results
option 2 : distinct count by date , Errorcode , Name

Thanks 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎12-27-2015 09:33 AM

You can update your search as

mysearch | stats dc(Errorcode) as Errors By Name _time

That will add the _time field to your results. You may want to consider bucketing your time into larger groups here however. For example if you have 10 events that occur every 1 minute, your DC will now by off because its grouping by time also. So you might want to do..

mysearch | bin span=1d _time | stats dc(Errorcode) as Errors By Name _time

This will group the results together in 1 day buckets. So you'll look at a DC of Errorcode over a 24h period.

It's also worth noting that stats is a reducing command. If you are wanting to maintain the time stamp of the original events, you'll need to do some additional work along the lines of creating a new field that holds the timestamp of the event and adding that into the stats pipeline.

View solution in original post

Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎12-27-2015 09:33 AM

You can update your search as

mysearch | stats dc(Errorcode) as Errors By Name _time

That will add the _time field to your results. You may want to consider bucketing your time into larger groups here however. For example if you have 10 events that occur every 1 minute, your DC will now by off because its grouping by time also. So you might want to do..

mysearch | bin span=1d _time | stats dc(Errorcode) as Errors By Name _time

This will group the results together in 1 day buckets. So you'll look at a DC of Errorcode over a 24h period.

It's also worth noting that stats is a reducing command. If you are wanting to maintain the time stamp of the original events, you'll need to do some additional work along the lines of creating a new field that holds the timestamp of the event and adding that into the stats pipeline.

Reply
Solved! Jump to solution

abovebeyond
Communicator
‎12-27-2015 11:05 AM

Thanks ! exactly what i need

appreciate your help

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎12-28-2015 02:40 PM

Hi @abovebeyond

Glad you were able to find a solution from @esix_splunk here on Answers. Don't forget to resolve your posts by clicking "Accept" directly below the answers that solved your questions to help other users with similar issues find them.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...