Solved: I need help me using dedup and dc count?

sunnyft · ‎03-27-2020

I have the following search based on this i just want to see unique values for the search

woodcock · ‎03-28-2020

Never use sort without a number. There is no need to use both; try this:

index=one eventtype=one_tu
| sort 0 -time, ComputerName
| dedup id
| search open="false"
| table Date, ComputerName, agentName, class,Content,id

View solution in original post

woodcock · ‎03-28-2020

Never use sort without a number. There is no need to use both; try this:

index=one eventtype=one_tu
| sort 0 -time, ComputerName
| dedup id
| search open="false"
| table Date, ComputerName, agentName, class,Content,id

DavidHourani · ‎03-28-2020

Hi @sunnyft,

I think you're looking for something like this :

index=one eventtype=one_tu  open=false
| sort -time, ComputerName
| dedup id
|stats dc(id) as ID by Date, ComputerName, agentName, class,Content

Let me know if that helps !

Cheers,
David

sunnyft · ‎03-28-2020

No it didn't work I am not able to see the any Statistics

DavidHourani · ‎03-28-2020

Try using this first :

 index=one eventtype=one_tu  open=false
 | sort -time, ComputerName
 | dedup id

Does it give you anything ?
If so, could you please check if you have the following fields : Date, ComputerName, agentName, class,Content ?

Could be that you don't have a field called Date ?

 index=one eventtype=one_tu  open=false
 | dedup id
 |stats dc(id) as ID, values(agentName) as agentName, values(class) as class, values(Content) as Content by _time, ComputerName

to4kawa · ‎03-27-2020

index=one eventtype=one_tu open="false"
| fields Date ComputerName  agentName  class Content id
| stats values(*) as * by id

reference:

by-clause
- Syntax: BY
- Description: The name of one or more fields to group by. You cannot use a wildcard character to specify multiple fields with similar names. You must specify each field separately. The BY clause returns one row for each distinct value in the BY clause fields. If no BY clause is specified, the stats command returns only one row, which is the aggregation over the entire incoming result set.

If you want to display fields by each id , try my query.

adonio · ‎03-27-2020

your stats dc(id) as ID takes away all other fields
if i understand your needs, try this:
index = one eventtype=one_tu open=false | stats values(id) as all_ids
if you want to see it with other fields context, add a by clause for your stats command

sunnyft · ‎03-27-2020

Tried using this as well but no results

sunnyft · ‎03-27-2020

I wan to add the info in the table without duplicate

sunnyft · ‎03-27-2020

under statistics i get 0 count however, if i don't use stats value I see the results but i want to get unique count so still need help

adonio · ‎03-27-2020

can you share a sample event/s?

sunnyft · ‎03-27-2020

may be i dont even need to use stat dc, I am getting answers when i use this | stats values(id) as -__Name however the table is empty i was trying to do to get rid off duplicate Name even if it is by different user, I am not even sure if i need to use Stats dc but I dont want to see duplicate value in the table

if i dont use | stats values(id) as -__Name i'm getting results but duplicate as well

I need help me using dedup and dc count?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM