Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

distinct count not working on summary index (sistats)

loganramirez
Path Finder
‎06-13-2024 11:10 AM

Splunk Enterprise 9.0.6 and building a summary index of sourcenumbers (count) and distinct destinations called (dc(destinationnumber))

When i run this:

...
| stats count dc(destinationnumber) by sourcenumber


I get something like

sourcenumber,count,dc(destinationnumber)
+15551234567,10,8

indicating it called 10 times to 8 different numbers.
adsf
perfect.

But with this:

...
| sistats count dc(destinationnumber) by sourcenumber

 

i get:

psrsvd_ct_destinationnumber,psrsvd_gc,psrsvd_v, psrsvd_vm_destinationnumber
10,10,1,+19991234567;2,+18881234567;2,+17771234567;1,+15551234567;1 (etc)

Found no clear help in the sistats page and other posts like this one it seems to work (though older posts and not using count)

Best guess is that vm column 'preserves' the details, but idk why dc() isn't working like I expect.

Labels (1)
Labels
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 4)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...
Top