Reputation: 43
Splunk - Table to display count > 1 and an additional field?
I am trying to generate a search where it scans “mylogs” and isolates only IDs that appear in more than one LOCATION. I’m getting close with the following search:
mylogs | stats count by ID | where count > 1 | table ID, LOCATION
This isolates IDs that appear more than once, but does not list the LOCATIONS of these IDs.
I’ve explored dc; using charts vs. tables, trying to eval the count, count AS newfield, but all to no avail. Thinking this isn’t rocket science.
Anyone?
Upvotes: 1
Views: 9868
Answers (1)
Reputation: 181
The following should do it.
mylogs
| stats count, values(LOCATION) as LOCATION by ID
| where count > 1
| mvexpand LOCATION
| table ID, LOCATION
When you use stats count by id you lose all other fields except count and id. Whenever you use stats, always include all the fields you will need for displaying or further processing. Hence, values(LOCATION) is used to gather all the locations seen for the ID. This however will create a multivalue field which is why I split each location for an ID using mvexpand.
Upvotes: 2
Related Questions
- Splunk - I want to add a value from stats count() to a value from a lookup table and show that value in a table
- Splunk query - Total or Count by field
- Count and sum in splunk
- Splunk: count by Id
- Splunk conditional distinct count
- Splunk count 2 different fields with two different group by without displaying them
- How can i display event (row) count in Splunk dashboard panel
- How to count specific value occurrences in the same field?
- How to count results in Splunk and put them in a table?
- Splunk Query Count of Count