Splunk Search

I need help me using dedup and dc count?

Explorer

I have the following search based on this i just want to see unique values for the search

index=one eventtype=one_tu
| sort -time, ComputerName
| dedup id
|stat dc(id) as ID
| search open=false
| table Date, ComputerName, agentName, class,Content,id

0 Karma
1 Solution

Esteemed Legend

Never use sort without a number. There is no need to use both; try this:

index=one eventtype=one_tu
| sort 0 -time, ComputerName
| dedup id
| search open="false"
| table Date, ComputerName, agentName, class,Content,id

View solution in original post

0 Karma

Esteemed Legend

Never use sort without a number. There is no need to use both; try this:

index=one eventtype=one_tu
| sort 0 -time, ComputerName
| dedup id
| search open="false"
| table Date, ComputerName, agentName, class,Content,id

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi @sunnyft,

I think you're looking for something like this :

index=one eventtype=one_tu  open=false
| sort -time, ComputerName
| dedup id
|stats dc(id) as ID by Date, ComputerName, agentName, class,Content

Let me know if that helps !

Cheers,
David

0 Karma

Explorer

No it didn't work I am not able to see the any Statistics

0 Karma

SplunkTrust
SplunkTrust

Try using this first :

 index=one eventtype=one_tu  open=false
 | sort -time, ComputerName
 | dedup id

Does it give you anything ?
If so, could you please check if you have the following fields : Date, ComputerName, agentName, class,Content ?

Could be that you don't have a field called Date ?

 index=one eventtype=one_tu  open=false
 | dedup id
 |stats dc(id) as ID, values(agentName) as agentName, values(class) as class, values(Content) as Content by _time, ComputerName
0 Karma

Ultra Champion
index=one eventtype=one_tu open="false"
| fields Date ComputerName  agentName  class Content id
| stats values(*) as * by id

reference:

  • by-clause
    • Syntax: BY
    • Description: The name of one or more fields to group by. You cannot use a wildcard character to specify multiple fields with similar names. You must specify each field separately. The BY clause returns one row for each distinct value in the BY clause fields. If no BY clause is specified, the stats command returns only one row, which is the aggregation over the entire incoming result set.

If you want to display fields by each id , try my query.

0 Karma

SplunkTrust
SplunkTrust

your stats dc(id) as ID takes away all other fields
if i understand your needs, try this:
index = one eventtype=one_tu open=false | stats values(id) as all_ids
if you want to see it with other fields context, add a by clause for your stats command

0 Karma

Explorer

Tried using this as well but no results

0 Karma

Explorer

I wan to add the info in the table without duplicate

0 Karma

Explorer

under statistics i get 0 count however, if i don't use stats value I see the results but i want to get unique count so still need help

0 Karma

SplunkTrust
SplunkTrust

can you share a sample event/s?

0 Karma

Explorer

may be i dont even need to use stat dc, I am getting answers when i use this | stats values(id) as -__Name however the table is empty i was trying to do to get rid off duplicate Name even if it is by different user, I am not even sure if i need to use Stats dc but I dont want to see duplicate value in the table

if i dont use | stats values(id) as -__Name i'm getting results but duplicate as well

0 Karma