Splunk Search

How to use stats command with eval function and distinct function on two separate columns?

tushki6391
New Member

Hi everyone,

 

State ID APP _time
INFO ABC Car 19/08/22 19:51
INFO ABC Car 19/08/22 19:52
INFO DEF Car 20/08/22 19:53
INFO ZZZ Book 30/08/22 19:51
INFO ZZZ Book 19/08/22 19:55
WARN ABC Car 19/08/22 19:56
WARN XYZ Car 20/08/22 19:51
WARN ZZZ Book 19/08/22 19:58
WARN ZZZ Book 19/08/22 19:59
ERROR ABC Car 19/08/22 20:00
ERROR ABC Car 19/08/22 20:01
ERROR XYZA Car 30/08/22 19:51

 

I have following data as mentioned in table above, and i have to create a statistical analysis for following requirement

  • Find out count of distinct ID By APP for any given STATE

 

Ex.: 

For State=Info, My Results should be:

APP Count
Car 2
Book 1

 

For State=ERROR, My Results should be:

APP Count
Car 2

 

Currently i am trying like this:

 

 

 

index=testdata
| stats count(eval(searchmatch("*INFO*"))) BY APP

 

 

 

 

But i am Not getting count of  records with Distinct ID. 

 

My Question is: How to use stats command with eval function and distinct function on two separate columns.

Labels (7)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index=testdata
| wehre State="INFO"
| stats dc(ID) BY APP
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Something like this?

| stats dc(ID) as Count by State APP

 

0 Karma

tushki6391
New Member

From my calling application, i have to upfront specify the status type and cannot put in BY clause.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...