Solved: Re: How do you use a count without a parameter?

jkrobbins · ‎10-31-2018

Most of the examples I've seen (still learning) use count like so:

| stats count(src_ip) as IP

but I occasionally find an example like this:

| stats count

or

| stats count as IP

Why and when would you use count without a field name? How does it even work, that is, how does it know what field to count?

I've searched the documentation and can't find any explanation for the different formats.

FrankVl · ‎10-31-2018

A count without a field name specified, simply counts the total number of events. count(field1) counts the number of events that have field1 populated. So if every event contains field1, count and count(field1) will give the same result. But if some of your events don't contain field1, the two methods will give different results.

View solution in original post

FrankVl · ‎10-31-2018

A count without a field name specified, simply counts the total number of events. count(field1) counts the number of events that have field1 populated. So if every event contains field1, count and count(field1) will give the same result. But if some of your events don't contain field1, the two methods will give different results.

jkrobbins · ‎10-31-2018

Thank you. That makes perfect sense. I should have figured that out.

How do you use a count without a parameter?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability