- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use stats command with eval function and distinct function on two separate columns?
tushki6391
New Member
08-19-2022
08:34 AM
Hi everyone,
State | ID | APP | _time |
INFO | ABC | Car | 19/08/22 19:51 |
INFO | ABC | Car | 19/08/22 19:52 |
INFO | DEF | Car | 20/08/22 19:53 |
INFO | ZZZ | Book | 30/08/22 19:51 |
INFO | ZZZ | Book | 19/08/22 19:55 |
WARN | ABC | Car | 19/08/22 19:56 |
WARN | XYZ | Car | 20/08/22 19:51 |
WARN | ZZZ | Book | 19/08/22 19:58 |
WARN | ZZZ | Book | 19/08/22 19:59 |
ERROR | ABC | Car | 19/08/22 20:00 |
ERROR | ABC | Car | 19/08/22 20:01 |
ERROR | XYZA | Car | 30/08/22 19:51 |
I have following data as mentioned in table above, and i have to create a statistical analysis for following requirement
- Find out count of distinct ID By APP for any given STATE
Ex.:
For State=Info, My Results should be:
APP | Count |
Car | 2 |
Book | 1 |
For State=ERROR, My Results should be:
APP | Count |
Car | 2 |
Currently i am trying like this:
index=testdata
| stats count(eval(searchmatch("*INFO*"))) BY APP
But i am Not getting count of records with Distinct ID.
My Question is: How to use stats command with eval function and distinct function on two separate columns.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
SplunkTrust
08-22-2022
11:28 PM
index=testdata
| wehre State="INFO"
| stats dc(ID) BY APP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
SplunkTrust
08-19-2022
10:21 PM
Something like this?
| stats dc(ID) as Count by State APP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tushki6391
New Member
08-22-2022
11:19 PM
From my calling application, i have to upfront specify the status type and cannot put in BY clause.
data:image/s3,"s3://crabby-images/a266d/a266d0c80c12793a952b209c17cc3de41b17fc89" alt=""