Solved: Re: Need help with count of count using Timechart

Prathyusha891 · ‎01-19-2023

Event 1:
Product=shirt1 sku=123 sku=234

Event 2:
Product=shirt2 sku=987 sku=789

index= store

| rex field=_raw max_match=0 "sku\W(?P<sku>.*?)\,"

|stats count by _time, sku

o/p:

Output I’m looking for

_time	count
01-04-23	4

ITWhisperer · ‎01-19-2023

index= store

| rex field=_raw max_match=0 "sku\W(?P<sku>.*?)\,"

|stats count by _time, sku

| stats sum(count) as count by _time

gcusello · ‎01-19-2023

please try this:

index= store
| rex field=_raw max_match=0 "sku\W(?P<sku>.*?)\,"
| stats dc(sku) AS sku_count BY _time

or

index= store
| rex field=_raw max_match=0 "sku\W(?P<sku>.*?)\,"
| timechart dc(sku)

Ciao.

Giuseppe

Prathyusha891 · ‎01-20-2023

Its giving us the distinct count of sku but not the total count

gcusello · ‎01-20-2023

I understood that you wanted to have the distinct count, no problem, you can use sum instead dc:

index= store
| rex field=_raw max_match=0 "sku\W(?P<sku>.*?)\,"
| stats dc(sku) AS sku_count count BY _time

Ciao.

Giuseppe

Prathyusha891 · ‎01-20-2023

Sorry. Let me rephrase it for better understanding

O/P I'm looking for -

gcusello · ‎01-20-2023

in this case you can use the solution from @ITWhisperer or:

index= store
| rex field=_raw max_match=0 "sku\W(?P<sku>.*?)\,"
| stats count by _time sku
| timechart sum(count) AS count BY _time

Ciao.

Giuseppe

Prathyusha891 · ‎01-20-2023

Sure Thanks. But I don't think stats and Timechart work together.

ITWhisperer · ‎01-19-2023

index= store

| rex field=_raw max_match=0 "sku\W(?P<sku>.*?)\,"

|stats count by _time, sku

| stats sum(count) as count by _time

Prathyusha891 · ‎01-20-2023

gcusello · ‎01-20-2023

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Need help with count of count using Timechart