Splunk Search

How to retrieve time\date after distinct count search?

abovebeyond
Communicator

Hi,

My search is:

mysearch |  stats dc(Errorcode) as Errors By Name

I want to get results for 2 options:

option 1: adding date to the results
option 2 : distinct count by date , Errorcode , Name

Thanks 🙂

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

You can update your search as

mysearch | stats dc(Errorcode) as Errors By Name _time 

That will add the _time field to your results. You may want to consider bucketing your time into larger groups here however. For example if you have 10 events that occur every 1 minute, your DC will now by off because its grouping by time also. So you might want to do..

mysearch | bin span=1d _time | stats dc(Errorcode) as Errors By Name _time

This will group the results together in 1 day buckets. So you'll look at a DC of Errorcode over a 24h period.

It's also worth noting that stats is a reducing command. If you are wanting to maintain the time stamp of the original events, you'll need to do some additional work along the lines of creating a new field that holds the timestamp of the event and adding that into the stats pipeline.

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

You can update your search as

mysearch | stats dc(Errorcode) as Errors By Name _time 

That will add the _time field to your results. You may want to consider bucketing your time into larger groups here however. For example if you have 10 events that occur every 1 minute, your DC will now by off because its grouping by time also. So you might want to do..

mysearch | bin span=1d _time | stats dc(Errorcode) as Errors By Name _time

This will group the results together in 1 day buckets. So you'll look at a DC of Errorcode over a 24h period.

It's also worth noting that stats is a reducing command. If you are wanting to maintain the time stamp of the original events, you'll need to do some additional work along the lines of creating a new field that holds the timestamp of the event and adding that into the stats pipeline.

abovebeyond
Communicator

Thanks ! exactly what i need

appreciate your help

0 Karma

ppablo
Retired

Hi @abovebeyond

Glad you were able to find a solution from @esix_splunk here on Answers. Don't forget to resolve your posts by clicking "Accept" directly below the answers that solved your questions to help other users with similar issues find them.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...