field3 dc(field1) dc(field2)

nbharadwaj · ‎02-08-2011

I am parsing through a lot of data, so I want to do this preferably in one search command.

1) I want to generate distinct counts field1 and field2, grouped by field3. 2) I also want to generate distinct count on field1 and field2, without a group by.

so for 1 I have something like this:

....| stats dc(field1) dc(field2) by field3

and for 2 I have something like this: ....| stats dc(field1) dc(field2)

How can I combine both of these into one search command? so that I have the following table

field3 dc(field1) dc(field2)

a 20 30 b 50 80 Total 55 90

Note that Total unique != sum of a+b, because of overlaps.

Ron_Naken · ‎02-08-2011

You could use append to join the results. Try something like this (then pipe to format as you need):

... | stats dc(field1) as "DC Field1" dc(field2) as "DC Field2" by field3 | append [search ... | stats dc(field1) as "Total Field1" dc(field2) as "Total Field2"]

Ron_Naken · ‎02-08-2011

Build your search to use Summary Indexing: http://www.splunk.com/base/Documentation/4.1.6/Knowledge/Usesummaryindexing

nbharadwaj · ‎02-08-2011

Hmm, but it still means I have to parse through the data twice. I just want to parse through once if its possible. This is a quarterly report so really big data!

stats generate distinct counts by a field, and also overall

field3 dc(field1) dc(field2)

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk