Re: Issue with stats count with multiple fields

a238574 · ‎07-25-2019

I am using the stats count function to get a count of unique events. as part of the list I am want to show additional fields in the Statistics output. When I run my fairly simple query and use |stats count by field1 the numbers look correct. When I use | stats count by field1,field2,field3,field4 The count seems to increase more for each field I add but the strange thing is that the number of Statistics in the results does not change. For my real query I get 990 events and 142 entries on the Statistics tab for every search no matter how many fields I use in the stats count but the count for each statistic in the list grows every time I add a field.

a238574 · ‎07-26-2019

Did some more testing trying to figure out why the count was increasing and my results got worse. I made a simple search looking to produce a set of results where the field I count by should equal the number of events...

index=x accountid=123456789 | stats count by accountid

The search returns 936 events but the count is 1248.... how does it get to 1248 from 936 events

vnravikumar · ‎07-25-2019

Hi

Try like

|stats count,  list(field2)  as field2,list(field3) as field3,list(field4) as field4 by field1

a238574 · ‎07-26-2019

That produces a multi line output for each unique event

Issue with stats count with multiple fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation