Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need count for fields value

rakesh44
Communicator
‎04-16-2019 10:10 PM

Hi Friends,

I have two field component and eventtype, need count of component=root and component=Metrics and venttype=splunkd-log and eventtype=splunkd-access .

Am using below command but getting count of components only not eventtype, morover my data is big can we used tstats command in such case.Thanks

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count by component

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rakesh44
Communicator
‎04-17-2019 04:18 AM

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count

If you want to improve performance use below command ( Both command are working fine )

| tstats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count count from datamodel=internal_server WHERE component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rakesh44
Communicator
‎04-17-2019 04:18 AM

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count

If you want to improve performance use below command ( Both command are working fine )

| tstats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count count from datamodel=internal_server WHERE component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-16-2019 11:52 PM

@rakesh44

Can you please try this search for performace?

| tstats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count count from datamodel=internal_server WHERE component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access
0 Karma
Reply
Solved! Jump to solution

rakesh44
Communicator
‎04-17-2019 01:12 AM

Thanks Kamlesh for quick reply

Tried with given command , but ending with error

Error in 'TsidxStats': The tstats / mstats command cannot apply eval function to aggregation function.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-17-2019 02:01 AM

@rakesh44

It's working for me in Splunk 7.2.3. Check below link.

https://drive.google.com/open?id=1DCEOpNokZBA6OLW6m7MxgJYVZFPcmvzz

Can you please share your search if you have changed and Splunk version information?

0 Karma
Reply
Solved! Jump to solution

rakesh44
Communicator
‎04-17-2019 04:16 AM

appreciate for your help

0 Karma
Reply
Solved! Jump to solution

rakesh44
Communicator
‎04-17-2019 04:19 AM

I dont see option to accept your answer and hence posting your answer again

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-17-2019 05:07 AM

@rakesh44

Now you can mark it Accept.

0 Karma
Reply
Solved! Jump to solution

rakesh44
Communicator
‎04-16-2019 10:59 PM

Thanks Kamlesh for quick reply

Its works for me, can we expedite search its very slow , I have many events.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-16-2019 10:29 PM

@rakesh44
You can use eval() to get the count of specific value.
Check below search:

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...