Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to display stats results by values(field)

pkharbanda1021
Engager
‎12-06-2021 05:34 PM

I am using the following query and trying to display the results using stats but count by field values

search query | 
| table A B C D E
| stats count values(A) as errors values(B)  values(C)  by E

Also tried 
| stats  count by E A B C [but this messes up everything as this requires every field to have values]
Current Output 
E                                  count                  A.            B                   C    

Value1.                     10.                        X              YY               ZZZ 
                                                                  Y               ZZ              BBB

Output 
E                                  count                  A.            B                   C    

Value1.                       8.                        X              YY               ZZZ 
                                      2                          Y               ZZ              BBB

  @somesoni2 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2021 11:53 PM 
search query | 
| table A B C D E
| fillnull value="N/A" A B C 
| stats count by E A B C
0 Karma
Reply

pkharbanda1021
Engager
‎12-07-2021 06:29 AM

this doesn't solve my problem

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-07-2021 06:59 AM

Please explain what is not working for you with this method

0 Karma
Reply

pkharbanda1021
Engager
‎12-07-2021 07:14 AM

results which I am getting arent accurate and its not making any sense 
I want the count for each value you see in the first value and with the above solution this is not accurate and doesnt work

pkharbanda1021_0-1638890043433.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-07-2021 07:19 AM

Can you share the search you used to get these results?

0 Karma
Reply

pkharbanda1021
Engager
‎12-07-2021 10:17 AM

for now 
"your base search" | fillnull value=NA errors
| stats count values(traceid_id) as TraceId  by title errors

but I also tried with [this gives me completely different results and I want results by title]
"your base search" | fillnull value=NA errors traceid_id 
| stats count by title errors traceid_id 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-07-2021 10:51 AM

It is usually easier when you describe your issue with closer to reality examples. Try something like this

"your base search" | fillnull value=NA errors traceid_id 
| stats count by title errors traceid_id
| stats list(count) as count list(errors) as errors list(traceid_id) as traceid_id by title
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...