Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk stats group and count by fields

Ameenulla
Engager
‎09-17-2024 10:16 AM

need query to remove duplicates from count stats

Sample input

event  email

abc      xyz@email.com

abc    xyz@email.com

abc. test@email.com

abc. test@email.com

xyz xyz@email.com

Expected output 

eventcount
abc2
xyz1

what I am getting 

eventcount
abc4
xyz1
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-17-2024 09:11 PM

It is good that you try to illustrate input and desired output.  But you forget to tell us what you are trying to count that should either be 4 or 2?  In other words, you need to explain the logic between input and desired output fully and explicitly.

If I take a wild mind reading, you want to count unique number of E-mails related to each type of event.  You want to use distinctcount or dc, not count.

 

| stats dc(email) as count by event

 

Here's an emulation of your mock input

 

| makeresults format=csv data="_raw
abc      xyz@email.com
abc    xyz@email.com
abc. test@email.com
abc. test@email.com
xyz xyz@email.com"
| rex "(?<event>\w+)\W+(?<email>\S+)"
``` data emulation above ```

 

The output is

eventcount
abc2
xyz1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-17-2024 09:11 PM

It is good that you try to illustrate input and desired output.  But you forget to tell us what you are trying to count that should either be 4 or 2?  In other words, you need to explain the logic between input and desired output fully and explicitly.

If I take a wild mind reading, you want to count unique number of E-mails related to each type of event.  You want to use distinctcount or dc, not count.

 

| stats dc(email) as count by event

 

Here's an emulation of your mock input

 

| makeresults format=csv data="_raw
abc      xyz@email.com
abc    xyz@email.com
abc. test@email.com
abc. test@email.com
xyz xyz@email.com"
| rex "(?<event>\w+)\W+(?<email>\S+)"
``` data emulation above ```

 

The output is

eventcount
abc2
xyz1
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...