Splunk Search

stats value count by in two different result

elbywong
Explorer

I am using two spl which the result are different, but I think the spl is the same. Can anyone help?

index=main sourcetype=access_combined_wcookie
|stats values(useragent) as "Agents Used" count as "Times Used" by useragent
|table "Agents Used", "Times Used"

index=main sourcetype=access_combined_wcookie
|stats values(useragent) as "Agents Used" 
|stats count("Agents Used") as "Times Used" by "Agents Used"
|table "Agents Used", "Times Used"

The result is attached.
![alt text][1]

Tags (1)
0 Karma

danielwysockiar
Explorer

The results are different, because those SPL count something completly different.
Look at the first SPL:

index=main sourcetype=access_combined_wcookie
 |stats values(useragent) as "Agents Used" count as "Times Used" by useragent

count counts how many times a unique useragent appeared in searched events and I suppose that is what you want to achieve

...but in the second SPL:

index=main sourcetype=access_combined_wcookie
 |stats values(useragent) as "Agents Used" 
 |stats count("Agents Used") as "Times Used" by "Agents Used"

count counts how many useragents were listed by previous command, because it is piped....

Look at the "Statistics" tab on the screen you attached: It says 2 and the result of SPL for each line is also 2.

Do a simple test and compare:

index=main sourcetype=access_combined_wcookie
|stats values(useragent) as x count by useragent

and

 index=main sourcetype=access_combined_wcookie
|stats values(useragent) as x
| stats count(x) by x

Regards

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@elbywong

In your first search you have used stats command to count events useragent and to get useragent as Agents Used. This will gives useragent wise total event count. Here we will get the proper count of events.

As per my suggestion, if you remove the values(useragent) as "Agents Used" and rename the useragent field then it will give the same result with proper approach.

like

index=main sourcetype=access_combined_wcookie
|stats count as "Times Used" by useragent 
| rename useragent as "Agents Used"
|table "Agents Used", "Times Used"

In your second search, you have written values(useragent) as "Agents Used", if you execute below search then it will give you multivalued Agents Used field.

Try:

index=main sourcetype=access_combined_wcookie
|stats values(useragent) as "Agents Used" 

Here we are losing total events for particular Agents and gives you a single field with multiple agents. And, as we have used stats
command, we will not able to take the events or count of events which can be used in next stats command which is representing count of events by useragent.

Next Stats:

|stats count("Agents Used") as "Times Used" by "Agents Used"
|table "Agents Used", "Times Used"

count("Agents Used") as "Times Used" by "Agents Used"
which gives you a total number of "Agents Used" in "Times Used". And it is an invalid count of agents.

If you want a count of events per Agent then I suggest below search.

index=main sourcetype=access_combined_wcookie
|stats count as "Times Used" by useragent 
| rename useragent as "Agents Used"
|table "Agents Used", "Times Used"

Thanks

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...