Reputation: 143
Splunk Query Count of Count
I want to know the count of a count of a query. The query is
sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count by X_REQUEST_ID | sort - count
So you can see there are multiple rows with the value of 3.
Thanks in advance
Upvotes: 4
Views: 13186
Answers (3)
Reputation: 66
You're goal in this particular case is to get a summary of counts for this X_REQUEST_ID field, right?
Let's take your initial query:
sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count by X_REQUEST_ID | sort - count
What we're missing here is how to aggregate against your aggregation. Then, we can sort:
sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count as req_count by X_REQUEST_ID | stats count by req_count | sort - count
Let me know if that works out for you.
Upvotes: 5
Reputation: 85
Simple Just pipe your search to stats count.
...your search query|stats count
Upvotes: 0
Reputation: 3
You could pipe another stats count command at the end of your original query like so:
sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count by X_REQUEST_ID | stats count
This would give you a single result with a count field equal to the number of search results.
Upvotes: 0
Related Questions
- Splunk query - Total or Count by field
- Splunk: Get a count of all occurrences of a string?
- Count and sum in splunk
- Splunk: count by Id
- Splunk conditional distinct count
- Sum of count with Splunk
- How to count the total number of events in a splunk search result?
- Splunk - counting numeric information in events
- splunk query for counting based on regex
- How to count results in Splunk and put them in a table?