Issue with stats count with multiple fields

a238574 · ‎07-25-2019

I am using the stats count function to get a count of unique events. as part of the list I am want to show additional fields in the Statistics output. When I run my fairly simple query and use |stats count by field1 the numbers look correct. When I use | stats count by field1,field2,field3,field4 The count seems to increase more for each field I add but the strange thing is that the number of Statistics in the results does not change. For my real query I get 990 events and 142 entries on the Statistics tab for every search no matter how many fields I use in the stats count but the count for each statistic in the list grows every time I add a field.

a238574 · ‎07-26-2019

Did some more testing trying to figure out why the count was increasing and my results got worse. I made a simple search looking to produce a set of results where the field I count by should equal the number of events...

index=x accountid=123456789 | stats count by accountid

The search returns 936 events but the count is 1248.... how does it get to 1248 from 936 events

vnravikumar · ‎07-25-2019

Hi

Try like

|stats count,  list(field2)  as field2,list(field3) as field3,list(field4) as field4 by field1

a238574 · ‎07-26-2019

That produces a multi line output for each unique event

Issue with stats count with multiple fields

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability