stats count by variable field names?

the_wolverine · ‎02-21-2017

I have a need to stats count by a list of variable fields that I don't know the names of. (stats count by * doesn't seem to work). Does anyone have any ideas?

I know I would need to fillnull the empty fields then stats count by (list of all fields). This is a reduced set already so I'm not actually fill nulling.

woodcock · ‎02-21-2017

I am taking you VERY literally so it is quite possible that this is not what you are really seeking. In order for this solution to work, you need 1 "real" field that you need to keep; I will assume that host is that field for you.. If there are more fields, then you will have to combine them so that you only have 1. For example, if you would like to keep sourcetype, too, then do this first (and use host_sourcetype instead of host in the last search):

... | eval host_sourcetype = host . "::" . sourcetype | fields - host sourcetype

Now that you only have 1 "keeper" field and then the "various" fields (make sure that you get rid of any other fields by using fields - list of other fields here), you do this:

| untable host various value
| stats sum(*) count(*) list(*) by host various

jkat54 · ‎02-21-2017

How about

 stats count(*) by *

? I forget if that's he workaround or not been a moment for me.

stats count by variable field names?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?