I have the following search based on this i just want to see unique values for the search
index=one eventtype=one_tu
| sort -time, ComputerName
| dedup id
|stat dc(id) as ID
| search open=false
| table Date, ComputerName, agentName, class,Content,id
Never use sort
without a number. There is no need to use both; try this:
index=one eventtype=one_tu
| sort 0 -time, ComputerName
| dedup id
| search open="false"
| table Date, ComputerName, agentName, class,Content,id
Never use sort
without a number. There is no need to use both; try this:
index=one eventtype=one_tu
| sort 0 -time, ComputerName
| dedup id
| search open="false"
| table Date, ComputerName, agentName, class,Content,id
Hi @sunnyft,
I think you're looking for something like this :
index=one eventtype=one_tu open=false
| sort -time, ComputerName
| dedup id
|stats dc(id) as ID by Date, ComputerName, agentName, class,Content
Let me know if that helps !
Cheers,
David
No it didn't work I am not able to see the any Statistics
Try using this first :
index=one eventtype=one_tu open=false
| sort -time, ComputerName
| dedup id
Does it give you anything ?
If so, could you please check if you have the following fields : Date, ComputerName, agentName, class,Content ?
Could be that you don't have a field called Date ?
index=one eventtype=one_tu open=false
| dedup id
|stats dc(id) as ID, values(agentName) as agentName, values(class) as class, values(Content) as Content by _time, ComputerName
index=one eventtype=one_tu open="false"
| fields Date ComputerName agentName class Content id
| stats values(*) as * by id
If you want to display fields by each id
, try my query.
your stats dc(id) as ID
takes away all other fields
if i understand your needs, try this:
index = one eventtype=one_tu open=false | stats values(id) as all_ids
if you want to see it with other fields context, add a by
clause for your stats command
Tried using this as well but no results
I wan to add the info in the table without duplicate
under statistics i get 0 count however, if i don't use stats value I see the results but i want to get unique count so still need help
can you share a sample event/s?
may be i dont even need to use stat dc, I am getting answers when i use this | stats values(id) as -__Name however the table is empty i was trying to do to get rid off duplicate Name even if it is by different user, I am not even sure if i need to use Stats dc but I dont want to see duplicate value in the table
if i dont use | stats values(id) as -__Name i'm getting results but duplicate as well