Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Stats Distint Count
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
03-16-2016
07:20 AM
Hi, I wonder whether someone may be able to help me please.
I'm using the query below to extract a piece of data.
index=main tags.transactionName=print-suppression
| eval Date=substr(generatedAt, 1, 10) | stats dc(Date) by Date
| eval verifiedButBounced=coalesce('detail.verifiedButBounced.count',0)
| eval pendingVerificationOfChangedEmail=coalesce('detail.pendingVerificationOfChangedEmail.count', 0)
| eval verifiedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmail=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmail.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedNotBounced=coalesce('detail.verifiedNotBounced.count', 0)
| eval Verified=verifiedButBounced + pendingVerificationOfChangedEmail + verifiedPendingVerificationOfChangedEmailAndBounced + verifiedButBouncedPendingVerificationOfChangedEmail + verifiedButBouncedPendingVerificationOfChangedEmailAndBounced + verifiedNotBounced
| rename detail.totalOfAllOptedIn.count AS Opted_In, detail.optedOut.count AS Opted_Out
| table Date, Opted_In, Opted_Out, Verified, detail.verifiedButBounced.count, detail.verifiedNotBounced.count, detail.pendingVerificationOfChangedEmail
The problem I have is that I want eliminate duplicate dates. Now I know that I can use 'dedup' which successfully removes the duplicates but I've been reading that stats dc or 'distinct count' is more efficient, but I'm a little unsure about how to incorporate this.
I just wondered whether someone could possibly look at this please and offer some guidance on where I should incorporate the 'stats dc' command.
Many thanks and kind regards
Chris
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
03-16-2016
08:24 AM
Hi all,
Just to let you know that I've continued to work on this and created a solution here:
index=main tags.transactionName=print-suppression
| eval Date=substr(generatedAt, 1, 10)
| eval verifiedButBounced=coalesce('detail.verifiedButBounced.count',0)
| eval pendingVerificationOfChangedEmail=coalesce('detail.pendingVerificationOfChangedEmail.count', 0)
| eval verifiedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmail=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmail.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedNotBounced=coalesce('detail.verifiedNotBounced.count', 0)
| eval Verified=verifiedButBounced + pendingVerificationOfChangedEmail + verifiedPendingVerificationOfChangedEmailAndBounced + verifiedButBouncedPendingVerificationOfChangedEmail + verifiedButBouncedPendingVerificationOfChangedEmailAndBounced + verifiedNotBounced
| stats dc(Date) by Date, Verified, detail.totalOfAllOptedIn.count, detail.optedOut.count, detail.verifiedButBounced.count, detail.verifiedNotBounced.count, detail.pendingVerificationOfChangedEmail.count
| rename detail.totalOfAllOptedIn.count AS Opted_In, detail.optedOut.count AS Opted_Out
| table Date, Opted_In, Opted_Out, Verified, detail.verifiedButBounced.count, detail.verifiedNotBounced.count, detail.pendingVerificationOfChangedEmail.count
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
03-16-2016
08:24 AM
Hi all,
Just to let you know that I've continued to work on this and created a solution here:
index=main tags.transactionName=print-suppression
| eval Date=substr(generatedAt, 1, 10)
| eval verifiedButBounced=coalesce('detail.verifiedButBounced.count',0)
| eval pendingVerificationOfChangedEmail=coalesce('detail.pendingVerificationOfChangedEmail.count', 0)
| eval verifiedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmail=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmail.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedNotBounced=coalesce('detail.verifiedNotBounced.count', 0)
| eval Verified=verifiedButBounced + pendingVerificationOfChangedEmail + verifiedPendingVerificationOfChangedEmailAndBounced + verifiedButBouncedPendingVerificationOfChangedEmail + verifiedButBouncedPendingVerificationOfChangedEmailAndBounced + verifiedNotBounced
| stats dc(Date) by Date, Verified, detail.totalOfAllOptedIn.count, detail.optedOut.count, detail.verifiedButBounced.count, detail.verifiedNotBounced.count, detail.pendingVerificationOfChangedEmail.count
| rename detail.totalOfAllOptedIn.count AS Opted_In, detail.optedOut.count AS Opted_Out
| table Date, Opted_In, Opted_Out, Verified, detail.verifiedButBounced.count, detail.verifiedNotBounced.count, detail.pendingVerificationOfChangedEmail.count
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alacercogitatus
SplunkTrust
03-16-2016
08:14 AM
You could do it at the tail end of that search.
<that_Search> | stats last(*) as * by Date
This will take the "last" of each value on each date, and output it. You can also use "first" to get the first event found.
Remove the |stats dc(Date) by Date, since that is probably interfering with the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
03-16-2016
08:26 AM
Hi, thank you for taking the time to reply to my post.
I did try the solution you kindly provided, but unfortunately it didn't return any results, but I have managed to put together a solution.
Many thanks and kind regards
Chris
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
