Splunk Search
Highlighted

I need help me using dedup and dc count?

Explorer

I have the following search based on this i just want to see unique values for the search

index=one eventtype=one_tu
| sort -time, ComputerName
| dedup id
|stat dc(id) as ID
| search open=false
| table Date, ComputerName, agentName, class,Content,id

0 Karma
Highlighted

Re: I need help me using dedup and dc count?

SplunkTrust
SplunkTrust

your stats dc(id) as ID takes away all other fields
if i understand your needs, try this:
index = one eventtype=one_tu open=false | stats values(id) as all_ids
if you want to see it with other fields context, add a by clause for your stats command

0 Karma
Highlighted

Re: I need help me using dedup and dc count?

Explorer

Tried using this as well but no results

0 Karma
Highlighted

Re: I need help me using dedup and dc count?

Explorer

under statistics i get 0 count however, if i don't use stats value I see the results but i want to get unique count so still need help

0 Karma
Highlighted

Re: I need help me using dedup and dc count?

SplunkTrust
SplunkTrust

can you share a sample event/s?

0 Karma
Highlighted

Re: I need help me using dedup and dc count?

Explorer

may be i dont even need to use stat dc, I am getting answers when i use this | stats values(id) as -__Name however the table is empty i was trying to do to get rid off duplicate Name even if it is by different user, I am not even sure if i need to use Stats dc but I dont want to see duplicate value in the table

if i dont use | stats values(id) as -__Name i'm getting results but duplicate as well

0 Karma
Highlighted

Re: I need help me using dedup and dc count?

Explorer

I wan to add the info in the table without duplicate

0 Karma
Highlighted

Re: I need help me using dedup and dc count?

Ultra Champion
index=one eventtype=one_tu open="false"
| fields Date ComputerName  agentName  class Content id
| stats values(*) as * by id

reference:

  • by-clause
    • Syntax: BY
    • Description: The name of one or more fields to group by. You cannot use a wildcard character to specify multiple fields with similar names. You must specify each field separately. The BY clause returns one row for each distinct value in the BY clause fields. If no BY clause is specified, the stats command returns only one row, which is the aggregation over the entire incoming result set.

If you want to display fields by each id , try my query.

0 Karma
Highlighted

Re: I need help me using dedup and dc count?

SplunkTrust
SplunkTrust

Hi @sunnyft,

I think you're looking for something like this :

index=one eventtype=one_tu  open=false
| sort -time, ComputerName
| dedup id
|stats dc(id) as ID by Date, ComputerName, agentName, class,Content

Let me know if that helps !

Cheers,
David

0 Karma
Highlighted

Re: I need help me using dedup and dc count?

Explorer

No it didn't work I am not able to see the any Statistics

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.