I have a table in this form (fields and values):
USERID USERNAME CLIENT_A_ID CLIENT_B_ID
11 Tom 555 123
11 Tom 555 456
11 Tom 777 456
11 Tom 999 456
22 Jill 444 789
22 Jill 888 234
The output of the splunk query should give me:
USERID USERNAME CLIENT_A_ID_COUNT CLIENT_B_ID_COUNT
11 Tom 3 2
22 Jill 2 2
Should calculate distinct counts for fields CLIENT_A_ID and CLIENT_B_ID on a per user basis.
For second part of question ,
use stats dc(client_a_id), dc(client_b_id) by USERNAME
Thanks for this as well- very helpful (and worked).
Use:
... | stats dc(CLIENT_*_ID) as CLIENT_*_ID_COUNT by USERID USERNAME
Might be worth using 'distinct_count' rather than 'dc' on these boards, as it wasn't obvious to me what 'dc' was until I discovered distinct_count
I just checked this one out, and seems to be a quick way of getting what I need:
index="google" sourcetype="*directory*" "emails{}.address"="*mydomain.com"
| timechart dc(name.fullName) span=1d cont=FALSE
Thanks for the pointer- I have not used the dc command before.