Splunk Enterprise

How to calculate the number of distinct incidents in each jurisdiction?

scottmkirkland
Engager

I have a dataset with incident numbers and their associated Jurisdiction. It is possible that a incident will be listed in multiple jurisdictions. 

I don't want to dedup(incident_number) globally.

I need to count by jurisdiction, but the dedup or distinct count needs to be within each Jurisdiction. 

Any suggestions?

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Use the by clause in stats command, e.g.

| stats count by jurisdiction

OR

| stats dc(incident_number) by jurisdiction

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Use the by clause in stats command, e.g.

| stats count by jurisdiction

OR

| stats dc(incident_number) by jurisdiction
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...