Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats on the presence of a field

Samslara
Explorer
‎11-28-2011 04:58 PM

Hi,
I have a set of splunk entries where it can be one of several pattern of fields. So for example:

2011-01-01T12:00:00.000-0800 a=1 b=2
2011-01-01T12:00:00.001-0800 a=1 b=2
2011-01-01T12:00:00.002-0800 c=10
2011-01-01T12:00:00.003-0800 c=10
2011-01-01T12:00:00.004-0800 c=10
2011-01-01T12:00:00.005-0800 d=99

So with the above data I want to get the count of the presence of a field. So the output of such a query would be something like this:

fields | count
a | 2
b | 2
c | 3
d | 1

Can anyone suggest a query for me to use to do this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-29-2011 12:47 PM

The best you can do given your requirement of not knowing the fields ahead of time is:

... | stats count(*) | transpose

This will give you a count of ALL fields present in the search.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

View solution in original post

Reply
Solved! Jump to solution

Samslara
Explorer
‎11-29-2011 01:48 PM

One way I was going about it was to use rex:

... | rex field=_raw "\t(?[^=]+)=\d+\t" max_match=10 | stats count by myFields

Though this isn't as general as the accepted answer nor probably as fast.

0 Karma
Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎11-29-2011 12:47 PM

The best you can do given your requirement of not knowing the fields ahead of time is:

... | stats count(*) | transpose

This will give you a count of ALL fields present in the search.

Hope this helps.

> please upvote and accept answer if you find it useful - thanks!

Reply
Solved! Jump to solution

Samslara
Explorer
‎11-29-2011 01:45 PM

Thanks, this was very helpful.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎11-28-2011 11:54 PM

Is it important to have the results in columns rather than rows?

You could do

... | stats count(a),count(b),count(c),count(d)

which will give you a count of each field in a new column. If you want it in rows instead, as in your example, use transpose:

... | stats count(a),count(b),count(c),count(d) | transpose
Reply
Solved! Jump to solution

Samslara
Explorer
‎11-29-2011 01:48 PM

Thank you.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎11-29-2011 01:05 PM

Just use wildcards:

... | stats count(*)
0 Karma
Reply
Solved! Jump to solution

Samslara
Explorer
‎11-29-2011 12:21 PM

This would work if I knew all the fields that would be present, but suppose I didn't know. Is there a way to do this?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...