How to get a stats count against the sourcetype fr...

ehaile · ‎07-28-2015

I have a lookup table that consists of 5 fields (index, sourcetype, description, owner, os). I would like to perform a stats count against the sourcetype, while listing all the other fields in the lookup table. However, I cannot figure out how to search against my data to populate the stats count by sourcetype. Below is the search I have created.

|inputlookup Sourctype.csv|fields + index, sourcetype, desc, owner, os|stats count by sourcetype, index, desc, os

somesoni2 · ‎08-06-2015

I believe you need something like this

 |inputlookup Sourctype.csv|fields + index, sourcetype, desc, owner, os|eventstats count by sourcetype

THis will just a new columns count with count based on sourcetype, keeping all rows together.

woodcock · ‎07-28-2015

Like this:

|inputlookup Sourctype.csv |stats values(*) BY sourcetype | appendcols [|inputlookup Sourctype.csv |stats dc(sourcetype)]

woodcock · ‎08-06-2015

I am not exactly sure what you are trying to get but maybe like this:

| inputlookup Sourctype.csv | stats count values(*) BY sourcetype

This counts the number of lines that contain each sourcetype and lists the values of the other fields, too.

ehaile · ‎08-06-2015

Thanks Woodcock for your response.

Unfortunately I'm only getting a count for the first row , as a opposed to each row.

How would I go about getting a stats count for each row as well?

How to get a stats count against the sourcetype from lookup table while listing all other fields?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!