After running a "stats count by fields" search, is...

satya2p · ‎10-07-2016

I wrote a search and used stats count by to display records. Now I have thousands of records and I would like to know if Splunk has search features on tabled records. We are using 6.3 version. If it's not available can it be created using a script? Please help.

koshyk · ‎10-07-2016

Instead of "stats" , use "eventstats". Then you can have original event with stats data coming as well
Please check this article: http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/

somesoni2 · ‎10-07-2016

Not sure if I completely understood the requirement here. If your query is like this base search | stats count by somefield(s), then you can add a search/where command at the end to search/filter results based on available fields.( e.g. base search | stats count by somefield(s) | search field1=value1...)

satya2p · ‎10-07-2016

Hi Somesh, I am looking search on tabled command. Lets say you got results and displaying in splunk interface as column X, Y, Z etc. I have thousand of records in single column which i need not do change just wanted to have additional search on column to filter. hope I am clear 🙂

sundareshr · ‎10-07-2016

Try this

base search | stats values(somefield) as mvfield | eval mvfield=mvfind(mvfield, "MATCHING_REGEX")

After running a "stats count by fields" search, is there a way to search on the tabled results?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life