Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to display stats results by values(field)

pkharbanda1021
Engager
‎12-06-2021 05:34 PM

I am using the following query and trying to display the results using stats but count by field values

search query | 
| table A B C D E
| stats count values(A) as errors values(B)  values(C)  by E

Also tried 
| stats  count by E A B C [but this messes up everything as this requires every field to have values]
Current Output 
E                                  count                  A.            B                   C    

Value1.                     10.                        X              YY               ZZZ 
                                                                  Y               ZZ              BBB

Output 
E                                  count                  A.            B                   C    

Value1.                       8.                        X              YY               ZZZ 
                                      2                          Y               ZZ              BBB

  @somesoni2 

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2021 11:53 PM 
search query | 
| table A B C D E
| fillnull value="N/A" A B C 
| stats count by E A B C
0 Karma
Reply

pkharbanda1021
Engager
‎12-07-2021 06:29 AM

this doesn't solve my problem

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-07-2021 06:59 AM

Please explain what is not working for you with this method

0 Karma
Reply

pkharbanda1021
Engager
‎12-07-2021 07:14 AM

results which I am getting arent accurate and its not making any sense 
I want the count for each value you see in the first value and with the above solution this is not accurate and doesnt work

pkharbanda1021_0-1638890043433.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-07-2021 07:19 AM

Can you share the search you used to get these results?

0 Karma
Reply

pkharbanda1021
Engager
‎12-07-2021 10:17 AM

for now 
"your base search" | fillnull value=NA errors
| stats count values(traceid_id) as TraceId  by title errors

but I also tried with [this gives me completely different results and I want results by title]
"your base search" | fillnull value=NA errors traceid_id 
| stats count by title errors traceid_id 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-07-2021 10:51 AM

It is usually easier when you describe your issue with closer to reality examples. Try something like this

"your base search" | fillnull value=NA errors traceid_id 
| stats count by title errors traceid_id
| stats list(count) as count list(errors) as errors list(traceid_id) as traceid_id by title
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...