11/19/2023 0 Comments Splunk stats unique![]() | eval "Last Seven Days" = sevenday_success. stats dc (srcip) as ipcount where ipcount > 50 Share Improve this answer Follow answered at 13:12 RichG 8,960 2 18 29 Tried but it doesnt work. stats functions count number of events (individual count) dc (distinct count) Count of unique values (count of group/field value not events) sum Sum of. When using wildcards to query multiple fields, errors might occur if the fields are of different types. You can, however, suppress results that meet your conditions. | stats sum(eval(success=1)) as sevenday_success, sum(eval(success=0)) as sevenday_fail by requester ] 1 Answer Sorted by: 1 The stats command will always return results (although sometimes they'll be null). Index=http_logs eval success=if(status_code>=200 status_code=200 status_code=200 status_code<=299, 1, 0) The dc (or distinctcount) function returns a count of the unique values of userid and renames the resulting field dcusers. This is because the eval function always returns a value (0 or 1) and counting them would give the total number of results rather than the number of events that match the condition. 9.1.0 (latest release) Hide Contents Documentation Splunk Enterprise Search Manual Use the stats command and functions Download topic as PDF Use the stats command and functions This topic discusses how to use the statistical functions with the transforming commands chart, timechart, stats, eventstats, and streamstats. Note the use of sum instead of count in the stats commands. ![]() Populating a daily summary index search with the results of something like. ![]() But the question here is more about how to do this with summary indexing, which is complicated for distinct counts. To get counts for different time periods, we usually run separate searches and combine the results. The broader question here 'whats the best way to count distinct count of X for each value of foo and bar', has the simple answer stats dc (X) by foo bar. To put multiple values in a cell we usually concatenate the values into a single value. ![]() Splunk tables usually have one value in each cell. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |