Splunk Search

How to write "| stats count" to field?

Engager

How to I must a write result from stats count to field?
Example ideas...

| inputlookup lookup
| stats count(eval(field1="example-data")) as Example, count(eval(field1="secondexample-data")) as SecondExample
| table Example, SecondExample

Thank.

0 Karma
1 Solution

Legend

Hi sbimizry,
Probably I didn't understand your problem, but you could try something like this:

| inputlookup lookup 
| stats count BY field1

Bye.
Giuseppe

View solution in original post

0 Karma

Esteemed Legend

Like this:

| inputlookup lookup
| stats count BY field1
0 Karma

Legend

Hi sbimizry,
Probably I didn't understand your problem, but you could try something like this:

| inputlookup lookup 
| stats count BY field1

Bye.
Giuseppe

View solution in original post

0 Karma

Engager

Hi, I will try to explain.
There is a lookup with data, there is a field with 4 possible values. let's call this field conditionally field1.
I need to count the number of all 4 values ​​and save in a separate field, for example fieldcount1, fieldcount2, fieldcount3, fieldcount4 and use this for example | table fieldcount1, fieldcount2, fieldcount3, fieldcount4

0 Karma

Legend

Hi sbimizry,
to have the for values on one row, try something like this:

| inputlookup lookup 
| stats count(eval(field1="value1")) AS value1 count(eval(field1="value2")) AS value2 count(eval(field1="value3")) AS value3 count(eval(field1="value4")) AS value4

Bye.
Giuseppe

0 Karma

Engager

I tried to do it, it does not work in my case.

0 Karma

Motivator

Try this run-anywhere search (based on @gcusello 's answer).

| makeresults count=100
| eval field1=(random() % 4) + 1
| eval field1="value" . field1
| stats count(eval(field1="value1")) AS fieldcount1
        count(eval(field1="value2")) AS fieldcount2
        count(eval(field1="value3")) AS fieldcount3
        count(eval(field1="value4")) AS fieldcount4
Cheers,
Jacob
0 Karma