Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Perform stats on full data and deduplicated data

Bulluk
Path Finder
‎05-21-2012 07:50 AM

Hi

I need to present a simple couple of counts on some IIS logs. One count will be raw, total hits, the other will be deduplicated by the user to show unique users. The following 2 commands work individually:

"search to return the data" | stats count as TotalHits by cs_uri_stem | table cs_uri_stem, TotalHits 

"search to return the data" | dedup cs_username | stats count as UniqueHits by cs_uri_stem | table cs_uri_stem, UniqueHits

however I get no results when I bring them togther. I presume this is because the stats command throws columns away but I'm not sure how to overcome it. 

"search to return the data" | stats count as TotalHits by cs_uri_stem | dedup cs_username | stats count as UniqueHits by cs_uri_stem | table cs_uri_stem, TotalHits , UniqueHits

Thanks in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-21-2012 08:01 AM

If all you want from the second search is to get a distinct usercount, just use distinct_count or dc which is the short form:

... | stats count as TotalHits,dc(cs_username) as UniqueHits by cs_uri_stem | table cs_uri_stem TotalHits UniqueHits

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-21-2012 08:01 AM

If all you want from the second search is to get a distinct usercount, just use distinct_count or dc which is the short form:

... | stats count as TotalHits,dc(cs_username) as UniqueHits by cs_uri_stem | table cs_uri_stem TotalHits UniqueHits
0 Karma
Reply
Solved! Jump to solution

Bulluk
Path Finder
‎05-21-2012 08:03 AM

It's easy when you know how 🙂

Thanks for such a quick response!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...