Splunk Search

How do I edit my search to output unique values per host?

prakash007
Builder

Any help would be much appreciated here..

Here's my search:

index=main host=host1* source=*server.log*  "exception" |  stats count, values(instance) by host

I'm getting this output:

host    count   values(instance)
host1   1073     ins1
                 ins2
                 ins3
host2   1021     ins2
                 ins3

I'm looking for output with unique values for each instance, your help would be appreciated:

host    count   values(instance)
host1   1000     ins1
        70       ins2
        3        ins3
host2   1000     ins2
        21       ins3
0 Karma
1 Solution

jedatt01
Builder

The reason you are only getting a single count is because of your by clause. It will only show the total count for each host. To accomplish what you want you need run stats on your data twice.

Index=main host=host1* source=server.log "exception" | stats count by host instance | stats list(count) list(instance) by host

View solution in original post

0 Karma

jedatt01
Builder

The reason you are only getting a single count is because of your by clause. It will only show the total count for each host. To accomplish what you want you need run stats on your data twice.

Index=main host=host1* source=server.log "exception" | stats count by host instance | stats list(count) list(instance) by host

0 Karma

prakash007
Builder

I got the expected output. Thanks much jedatt01.

0 Karma

jedatt01
Builder

mcnamara, plz vote up my answer so when people search they know that this answer did indeed work for you.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...