Splunk Search

stats generate distinct counts by a field, and also overall

Path Finder

I am parsing through a lot of data, so I want to do this preferably in one search command.

1) I want to generate distinct counts field1 and field2, grouped by field3. 2) I also want to generate distinct count on field1 and field2, without a group by.

so for 1 I have something like this:

....| stats dc(field1) dc(field2) by field3

and for 2 I have something like this: ....| stats dc(field1) dc(field2)

How can I combine both of these into one search command? so that I have the following table

field3 dc(field1) dc(field2)

a 20 30 b 50 80 Total 55 90

Note that Total unique != sum of a+b, because of overlaps.

Tags (1)

Splunk Employee
Splunk Employee

You could use append to join the results. Try something like this (then pipe to format as you need):

... | stats dc(field1) as "DC Field1" dc(field2) as "DC Field2" by field3 | append [search ... | stats dc(field1) as "Total Field1" dc(field2) as "Total Field2"]

Splunk Employee
Splunk Employee

Path Finder

Hmm, but it still means I have to parse through the data twice. I just want to parse through once if its possible. This is a quarterly report so really big data!

0 Karma