Solved: Stats Dc & Substr

IRHM73 · ‎11-04-2015

Hi, I wonder whether someone may be able to help me please.

I'm trying to change the 'dedup' element of the query below to a stats dc:

index=main auditSource=ntc "detail.method"=POST detail.statusCode=204 | dedup tags.path | head 8000 | eval `nino=substr('tags.path',6,9) | table nino _time`

I've changed dedup tags.path to stats dc(tags.path), but when I run the query I'm no longer returning any results.

could someone tell me please where I've gone wrong.

Many thanks and kind regards

Chris

IRHM73 · ‎11-05-2015

Hi, for those who may be interested, I solved this with the following query:

index=main auditSource=ntc "detail.method"=POST detail.statusCode=204 | head 8000 | eval nino=substr('tags.path',6,9) | stats dc(nino) by nino, _time |table nino _time

Kind Regards

Chris

View solution in original post

IRHM73 · ‎11-05-2015

Hi, for those who may be interested, I solved this with the following query:

index=main auditSource=ntc "detail.method"=POST detail.statusCode=204 | head 8000 | eval nino=substr('tags.path',6,9) | stats dc(nino) by nino, _time |table nino _time

Kind Regards

Chris

Stats Dc & Substr

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)