How to get count ?

MG · ‎06-06-2023

I have a table in splunk with columns
|table _time idx Event_count IsOutlier Actual_outlier atf_hour_of_day atf_day_of_week lowerBound upperBound Email_Alert X X1 outlier_high_index outlier_low_index

I need to check how many times an index appears in the idx column. I can use |stats count by idx. It will give only the columns idx and count. But I need all the other columns as well..

gcusello · ‎06-06-2023

Hi @MG,

you have to use the values option in the stats command:

<your_search>
| stats 
   earliest(_time) AS _time
   values(Event_count) AS Event_count 
   values(IsOutlier) AS IsOutlier 
   values(Actual_outlier) AS Actual_outlier 
   values(atf_hour_of_day) AS atf_hour_of_day 
   values(atf_day_of_week) AS atf_day_of_week 
   values(lowerBound) AS lowerBound 
   values(upperBound) AS upperBound 
   values(Email_Alert) AS Email_Alert 
   values(X) AS X
   values(X1) AS X1
   values(outlier_high_index) AS outlier_high_index 
   values(outlier_low_inde) AS outlier_low_index
   count
   BY idx
| table _time idx Event_count IsOutlier Actual_outlier atf_hour_of_day atf_day_of_week lowerBound upperBound Email_Alert X X1 outlier_high_index outlier_low_index count

In this way you aggregate events grouped by idx, but you could have more values for each field.

ciao.

Giuseppe

javiergn · ‎06-06-2023

Hi @MG , you can use eventstats instead of stats for that as in | eventstats count by idx.

Hope that helps.

How to get count ?

stats

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!