Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Distinct counts on only those fields that begin with a particular string

deton0
Explorer
‎10-17-2021 08:46 PM

Hi

I'm searching on an internet usage index for events that contain a particular word somewhere in the domain. For example the word could be "edublogs".

From the result, I need to sum the total of bytes downloaded for all events returned. The problem I'm having is needing to calculate a distinct count of centers and a distinct count of userids where the domain name only begins with "edublogs", e.g. "edublogs.com" and not when it doesn't, e.g.  "accountsedublogs.com".

I know this example is wrong but can someone please help me with how I would change it to achieve the outcome below?

index=searchdata domain="*edublogs*"
| stats count dc(centre) AS distinctCenters
| stats count dc(userid) AS distinctUserids
| stats sum(bytes) AS totalBytes by domain
| table domain totalBytes, distinctCenters, distinctUserids

My desired results would look something like...
domain totalBytes distinctCenters distinctUserids
Senior 50000 15 321

Many thanks

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-17-2021 10:21 PM

@deton0 

Can you please try this?

index=searchdata domain="*edublogs*"
| stats count dc(centre) AS distinctCenters, dc(userid) AS distinctUserids, sum(bytes) AS totalBytes by domain
| table domain totalBytes, distinctCenters, distinctUserids

 

KV 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-17-2021 10:21 PM

@deton0 

Can you please try this?

index=searchdata domain="*edublogs*"
| stats count dc(centre) AS distinctCenters, dc(userid) AS distinctUserids, sum(bytes) AS totalBytes by domain
| table domain totalBytes, distinctCenters, distinctUserids

 

KV 

0 Karma
Reply
Solved! Jump to solution

deton0
Explorer
‎10-18-2021 03:01 PM

Hi KV

Thanks for this. It's wasn't quite what I needed but got me on the right path to working it out. This is how I changed it and it appears to be working how I need with my original data. 

index=searchdata domain="*edublogs*"
| eval distinctCenters=Case(Like(domain,"edublogs%"), centre)
| eval distinctUserids=Case(Like(domain,"edublogs%"), userid)
| eventstats dc(distinctCenters) as distinctCenters, dc(distinctUserids) as distinctUserids by domain
| stats count, sum(bytes) AS totalBytes by domain, distinctCenters, distinctUserids
| table domain totalBytes, distinctCenters, distinctUserids

deton0

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...