how to display stats results by values(field)

pkharbanda1021 · ‎12-06-2021

I am using the following query and trying to display the results using stats but count by field values

search query |
| table A B C D E
| stats count values(A) as errors values(B) values(C) by E

Also tried
| stats count by E A B C [but this messes up everything as this requires every field to have values]
Current Output
E count A. B C

Value1. 10. X YY ZZZ
Y ZZ BBB

Output
E count A. B C

Value1. 8. X YY ZZZ
2 Y ZZ BBB

@somesoni2

ITWhisperer · ‎12-06-2021

search query | 
| table A B C D E
| fillnull value="N/A" A B C 
| stats count by E A B C

pkharbanda1021 · ‎12-07-2021

this doesn't solve my problem

ITWhisperer · ‎12-07-2021

Please explain what is not working for you with this method

pkharbanda1021 · ‎12-07-2021

results which I am getting arent accurate and its not making any sense
I want the count for each value you see in the first value and with the above solution this is not accurate and doesnt work

ITWhisperer · ‎12-07-2021

Can you share the search you used to get these results?

pkharbanda1021 · ‎12-07-2021

for now
"your base search" | fillnull value=NA errors
| stats count values(traceid_id) as TraceId by title errors

but I also tried with [this gives me completely different results and I want results by title]
"your base search" | fillnull value=NA errors traceid_id
| stats count by title errors traceid_id

ITWhisperer · ‎12-07-2021

It is usually easier when you describe your issue with closer to reality examples. Try something like this

"your base search" | fillnull value=NA errors traceid_id 
| stats count by title errors traceid_id
| stats list(count) as count list(errors) as errors list(traceid_id) as traceid_id by title

how to display stats results by values(field)

fields

stats

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)