Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

stats value count by in two different result

elbywong
Explorer
‎07-11-2018 08:12 PM

I am using two spl which the result are different, but I think the spl is the same. Can anyone help?

index=main sourcetype=access_combined_wcookie
|stats values(useragent) as "Agents Used" count as "Times Used" by useragent
|table "Agents Used", "Times Used"

index=main sourcetype=access_combined_wcookie
|stats values(useragent) as "Agents Used" 
|stats count("Agents Used") as "Times Used" by "Agents Used"
|table "Agents Used", "Times Used"

The result is attached.
![alt text][1]

Tags (1)
Preview file
507 KB
Preview file
507 KB
0 Karma
Reply

danielwysockiar
Explorer
‎07-12-2018 05:53 AM

The results are different, because those SPL count something completly different.
Look at the first SPL:

index=main sourcetype=access_combined_wcookie
 |stats values(useragent) as "Agents Used" count as "Times Used" by useragent

count counts how many times a unique useragent appeared in searched events and I suppose that is what you want to achieve

...but in the second SPL:

index=main sourcetype=access_combined_wcookie
 |stats values(useragent) as "Agents Used" 
 |stats count("Agents Used") as "Times Used" by "Agents Used"

count counts how many useragents were listed by previous command, because it is piped....

Look at the "Statistics" tab on the screen you attached: It says 2 and the result of SPL for each line is also 2.

Do a simple test and compare:

index=main sourcetype=access_combined_wcookie
|stats values(useragent) as x count by useragent

and

 index=main sourcetype=access_combined_wcookie
|stats values(useragent) as x
| stats count(x) by x

Regards

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-12-2018 01:03 AM

@elbywong

In your first search you have used stats command to count events useragent and to get useragent as Agents Used. This will gives useragent wise total event count. Here we will get the proper count of events.

As per my suggestion, if you remove the values(useragent) as "Agents Used" and rename the useragent field then it will give the same result with proper approach.

like

index=main sourcetype=access_combined_wcookie
|stats count as "Times Used" by useragent 
| rename useragent as "Agents Used"
|table "Agents Used", "Times Used"

In your second search, you have written values(useragent) as "Agents Used", if you execute below search then it will give you multivalued Agents Used field.

Try:

index=main sourcetype=access_combined_wcookie
|stats values(useragent) as "Agents Used"

Here we are losing total events for particular Agents and gives you a single field with multiple agents. And, as we have used stats
command, we will not able to take the events or count of events which can be used in next stats command which is representing count of events by useragent.

Next Stats:

|stats count("Agents Used") as "Times Used" by "Agents Used"
|table "Agents Used", "Times Used"

count("Agents Used") as "Times Used" by "Agents Used"
which gives you a total number of "Agents Used" in "Times Used". And it is an invalid count of agents.

If you want a count of events per Agent then I suggest below search.

index=main sourcetype=access_combined_wcookie
|stats count as "Times Used" by useragent 
| rename useragent as "Agents Used"
|table "Agents Used", "Times Used"

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...