Splunk Search

Count occurrences of values for a field

RB5
Path Finder

For below, I'd like to list the number of times a 'type' exists, that is, 1 PDF, 1 GIF, 2 JPG and 6 PNG. There is more to the search/data, but using something like:

| stats count by Date, DIRECTION, type

will only list '1' for each field (as if doing a distinct count). Something like:

| stats dc(type) as TYPES by Date DIRECTION, type

list '4' for each type (I assume because 4 different types).

Seems like it's probably easy, but I'm missing it.
Thanks.

Jun 7 00:50:15 lrdna0n2xepmx10 filter_instance1 rprt s=1mb0nj7xyk m=1 mod=mail cmd=attachment type=jpg
Jun 7 00:50:15 lrdna0n2xepmx10 filter_instance1 rprt s=1mb0nj7xyk m=1 mod=mail cmd=attachment type=jpg
Jun 7 00:50:15 lrdna0n2xepmx10 filter_instance1 rprt s=1mb0nj7xyk m=1 mod=mail cmd=attachment type=png
Jun 7 00:50:15 lrdna0n2xepmx10 filter_instance1 rprt s=1mb0nj7xyk m=1 mod=mail cmd=attachment type=png
Jun 7 00:50:15 lrdna0n2xepmx10 filter_instance1 rprt s=1mb0nj7xyk m=1 mod=mail cmd=attachment type=png
Jun 7 00:50:15 lrdna0n2xepmx10 filter_instance1 rprt s=1mb0nj7xyk m=1 mod=mail cmd=attachment type=png
Jun 7 00:50:15 lrdna0n2xepmx10 filter_instance1 rprt s=1mb0nj7xyk m=1 mod=mail cmd=attachment type=png
Jun 7 00:50:15 lrdna0n2xepmx10 filter_instance1 rprt s=1mb0nj7xyk m=1 mod=mail cmd=attachment type=png
Jun 7 00:50:15 lrdna0n2xepmx10 filter_instance1 rprt s=1mb0nj7xyk m=1 mod=mail cmd=attachment type=gif
Jun 7 00:50:15 lrdna0n2xepmx10 filter_instance1 rprt s=1mb0nj7xyk m=1 mod=mail cmd=attachment type=pdf

Tags (3)
0 Karma

RB5
Path Finder

I know I can do: |stats count by type
for the data I show above, but there is more to the scenario than that. I'll post the full issue in another question.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...