Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Distinct counts on only those fields that begin with a particular string

deton0
Explorer
‎10-17-2021 08:46 PM

Hi

I'm searching on an internet usage index for events that contain a particular word somewhere in the domain. For example the word could be "edublogs".

From the result, I need to sum the total of bytes downloaded for all events returned. The problem I'm having is needing to calculate a distinct count of centers and a distinct count of userids where the domain name only begins with "edublogs", e.g. "edublogs.com" and not when it doesn't, e.g.  "accountsedublogs.com".

I know this example is wrong but can someone please help me with how I would change it to achieve the outcome below?

index=searchdata domain="*edublogs*"
| stats count dc(centre) AS distinctCenters
| stats count dc(userid) AS distinctUserids
| stats sum(bytes) AS totalBytes by domain
| table domain totalBytes, distinctCenters, distinctUserids

My desired results would look something like...
domain totalBytes distinctCenters distinctUserids
Senior 50000 15 321

Many thanks

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-17-2021 10:21 PM

@deton0 

Can you please try this?

index=searchdata domain="*edublogs*"
| stats count dc(centre) AS distinctCenters, dc(userid) AS distinctUserids, sum(bytes) AS totalBytes by domain
| table domain totalBytes, distinctCenters, distinctUserids

 

KV 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-17-2021 10:21 PM

@deton0 

Can you please try this?

index=searchdata domain="*edublogs*"
| stats count dc(centre) AS distinctCenters, dc(userid) AS distinctUserids, sum(bytes) AS totalBytes by domain
| table domain totalBytes, distinctCenters, distinctUserids

 

KV 

0 Karma
Reply
Solved! Jump to solution

deton0
Explorer
‎10-18-2021 03:01 PM

Hi KV

Thanks for this. It's wasn't quite what I needed but got me on the right path to working it out. This is how I changed it and it appears to be working how I need with my original data. 

index=searchdata domain="*edublogs*"
| eval distinctCenters=Case(Like(domain,"edublogs%"), centre)
| eval distinctUserids=Case(Like(domain,"edublogs%"), userid)
| eventstats dc(distinctCenters) as distinctCenters, dc(distinctUserids) as distinctUserids by domain
| stats count, sum(bytes) AS totalBytes by domain, distinctCenters, distinctUserids
| table domain totalBytes, distinctCenters, distinctUserids

deton0

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...