stats dc(id) as ID takes away all other fields
if i understand your needs, try this:
index = one eventtype=one_tu open=false | stats values(id) as all_ids
if you want to see it with other fields context, add a
by clause for your stats command
under statistics i get 0 count however, if i don't use stats value I see the results but i want to get unique count so still need help
may be i dont even need to use stat dc, I am getting answers when i use this | stats values(id) as -__Name however the table is empty i was trying to do to get rid off duplicate Name even if it is by different user, I am not even sure if i need to use Stats dc but I dont want to see duplicate value in the table
if i dont use | stats values(id) as -__Name i'm getting results but duplicate as well
index=one eventtype=one_tu open="false" | fields Date ComputerName agentName class Content id | stats values(*) as * by id
If you want to display fields by each
id , try my query.
I think you're looking for something like this :
index=one eventtype=one_tu open=false | sort -time, ComputerName | dedup id |stats dc(id) as ID by Date, ComputerName, agentName, class,Content
Let me know if that helps !