Solved: Perform stats on full data and deduplicated data

Bulluk · ‎05-21-2012

Hi

I need to present a simple couple of counts on some IIS logs. One count will be raw, total hits, the other will be deduplicated by the user to show unique users. The following 2 commands work individually:

"search to return the data" | stats count as TotalHits by cs_uri_stem | table cs_uri_stem, TotalHits 

"search to return the data" | dedup cs_username | stats count as UniqueHits by cs_uri_stem | table cs_uri_stem, UniqueHits

however I get no results when I bring them togther. I presume this is because the stats command throws columns away but I'm not sure how to overcome it.

"search to return the data" | stats count as TotalHits by cs_uri_stem | dedup cs_username | stats count as UniqueHits by cs_uri_stem | table cs_uri_stem, TotalHits , UniqueHits

Thanks in advance

Ayn · ‎05-21-2012

If all you want from the second search is to get a distinct usercount, just use distinct_count or dc which is the short form:

... | stats count as TotalHits,dc(cs_username) as UniqueHits by cs_uri_stem | table cs_uri_stem TotalHits UniqueHits

View solution in original post

Ayn · ‎05-21-2012

If all you want from the second search is to get a distinct usercount, just use distinct_count or dc which is the short form:

... | stats count as TotalHits,dc(cs_username) as UniqueHits by cs_uri_stem | table cs_uri_stem TotalHits UniqueHits

Bulluk · ‎05-21-2012

It's easy when you know how 🙂

Thanks for such a quick response!

Perform stats on full data and deduplicated data

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)