Solved: Stats Dc & Substr

IRHM73 · ‎11-04-2015

Hi, I wonder whether someone may be able to help me please.

I'm trying to change the 'dedup' element of the query below to a stats dc:

index=main auditSource=ntc "detail.method"=POST detail.statusCode=204 | dedup tags.path | head 8000 | eval `nino=substr('tags.path',6,9) | table nino _time`

I've changed dedup tags.path to stats dc(tags.path), but when I run the query I'm no longer returning any results.

could someone tell me please where I've gone wrong.

Many thanks and kind regards

Chris

IRHM73 · ‎11-05-2015

Hi, for those who may be interested, I solved this with the following query:

index=main auditSource=ntc "detail.method"=POST detail.statusCode=204 | head 8000 | eval nino=substr('tags.path',6,9) | stats dc(nino) by nino, _time |table nino _time

Kind Regards

Chris

View solution in original post

IRHM73 · ‎11-05-2015

Hi, for those who may be interested, I solved this with the following query:

index=main auditSource=ntc "detail.method"=POST detail.statusCode=204 | head 8000 | eval nino=substr('tags.path',6,9) | stats dc(nino) by nino, _time |table nino _time

Kind Regards

Chris

Stats Dc & Substr

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?