Solved: add fields after a stats count

Mike6960 · ‎05-16-2019

In my search i use a couple of stats counts, the problem is that after these commands I miss other that I want to use. For example _time. I dont need a count for these fields so how can I make sure they are stille available later on in the search?

My search is for example:

index=*
"message.Origin"=blabla
source="something "
| stats count(eval('logger' ="test1")) as "example",
count(eval(logger ="test2)) as "example2" by ID

After the stats I only have the fields, example, example2 and ID

adonio · ‎05-16-2019

use eventstats

View solution in original post

iparitosh · ‎05-16-2019

Try this.

index=* "message.Origin"=blabla source="something " 
| eventstats count(eval('logger' ="test1")) as "example",
count(eval(logger ="test2”)) as "example2" by ID
| stats List(field1) as field1 List(field2) as field2... List(fieldN) as fieldN max(example) max(example2) by ID

Mike6960 · ‎05-16-2019

the 'table list 'command does not seem to work when I use it as you describe

Mike6960 · ‎05-16-2019

I tried stats list instead but it does not seem to get the results I want

iparitosh · ‎05-16-2019

Can you explain what is the issue and provide your query here?

iparitosh · ‎05-16-2019

My bad it should be
... | stats list(field_name)... by ID

Edited my answer.

preactivity · ‎05-16-2019

Replace stats with eventstats.

index=*  "message.Origin"=blabla source="something " 
| eventstats count(eval('logger' ="test1")) as "example1", count(eval(logger ="test2)) as "example2" by ID
| table example1,example2,source,index,ID

Note: Eventstats is not good if you are concerned about the performance.

Mike6960 · ‎05-16-2019

but if I use eventstats i get all the events back. So also the ones that don't match the conditions in the evals. I only want the event that (for example) where logger= "test1"

preactivity · ‎05-16-2019

Try to apply all searches at the first stage so that you will have less data for the computation.

 index=*  "message.Origin"=blabla source="something " 
| search logger="test1" OR logger="test2"
 | eventstats count(eval('logger' ="test1")) as "example1", count(eval(logger ="test2)) as "example2" by ID
 | table example1,example2,source,index,ID

Mike6960 · ‎05-16-2019

Thanks, but with the stats command I got one line per ID and the 'loggers' in columns next to it. With eventstats I get per logger one line. what I need is for every single ID just one line with the other fields in columns next to it

preactivity · ‎05-16-2019

Just add dedup after the eventstats.
index=* "message.Origin"=blabla source="something "
| search logger="test1" OR logger="test2"
| eventstats count(eval('logger' ="test1")) as "example1", count(eval(logger ="test2)) as "example2" by ID
| dedup ID
| table example1,example2,source,index,ID

adonio · ‎05-16-2019

use eventstats

richgalloway · ‎05-16-2019

@adonio means replace stats with eventstats and fields won't be dropped.

---
If this reply helps you, Karma would be appreciated.

iparitosh · ‎05-16-2019

yes. eventstats keeps all fields available for next command.

Mike6960 · ‎05-16-2019

but if I use eventstats i get all the events back. So also the ones that don't match the conditions in the evals. I only want the event that (for example) where logger= "test1"

iparitosh · ‎05-16-2019

Post event stats you can filter events with | search logger=“test1”

Mike6960 · ‎05-16-2019

ok, I wonder why I should stats or eventstats at all...... I could just use the search= instead, every tme when I think I understand Splunk I get confused

add fields after a stats count

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...