Splunk Search

I need help me using dedup and dc count?

sunnyft
Explorer

I have the following search based on this i just want to see unique values for the search

index=one eventtype=one_tu
| sort -time, ComputerName
| dedup id
|stat dc(id) as ID
| search open=false
| table Date, ComputerName, agentName, class,Content,id

0 Karma
1 Solution

woodcock
Esteemed Legend

Never use sort without a number. There is no need to use both; try this:

index=one eventtype=one_tu
| sort 0 -time, ComputerName
| dedup id
| search open="false"
| table Date, ComputerName, agentName, class,Content,id

View solution in original post

0 Karma

woodcock
Esteemed Legend

Never use sort without a number. There is no need to use both; try this:

index=one eventtype=one_tu
| sort 0 -time, ComputerName
| dedup id
| search open="false"
| table Date, ComputerName, agentName, class,Content,id
0 Karma

DavidHourani
Super Champion

Hi @sunnyft,

I think you're looking for something like this :

index=one eventtype=one_tu  open=false
| sort -time, ComputerName
| dedup id
|stats dc(id) as ID by Date, ComputerName, agentName, class,Content

Let me know if that helps !

Cheers,
David

0 Karma

sunnyft
Explorer

No it didn't work I am not able to see the any Statistics

0 Karma

DavidHourani
Super Champion

Try using this first :

 index=one eventtype=one_tu  open=false
 | sort -time, ComputerName
 | dedup id

Does it give you anything ?
If so, could you please check if you have the following fields : Date, ComputerName, agentName, class,Content ?

Could be that you don't have a field called Date ?

 index=one eventtype=one_tu  open=false
 | dedup id
 |stats dc(id) as ID, values(agentName) as agentName, values(class) as class, values(Content) as Content by _time, ComputerName
0 Karma

to4kawa
Ultra Champion
index=one eventtype=one_tu open="false"
| fields Date ComputerName  agentName  class Content id
| stats values(*) as * by id

reference:

  • by-clause
    • Syntax: BY
    • Description: The name of one or more fields to group by. You cannot use a wildcard character to specify multiple fields with similar names. You must specify each field separately. The BY clause returns one row for each distinct value in the BY clause fields. If no BY clause is specified, the stats command returns only one row, which is the aggregation over the entire incoming result set.

If you want to display fields by each id , try my query.

0 Karma

adonio
Ultra Champion

your stats dc(id) as ID takes away all other fields
if i understand your needs, try this:
index = one eventtype=one_tu open=false | stats values(id) as all_ids
if you want to see it with other fields context, add a by clause for your stats command

0 Karma

sunnyft
Explorer

Tried using this as well but no results

0 Karma

sunnyft
Explorer

I wan to add the info in the table without duplicate

0 Karma

sunnyft
Explorer

under statistics i get 0 count however, if i don't use stats value I see the results but i want to get unique count so still need help

0 Karma

adonio
Ultra Champion

can you share a sample event/s?

0 Karma

sunnyft
Explorer

may be i dont even need to use stat dc, I am getting answers when i use this | stats values(id) as -__Name however the table is empty i was trying to do to get rid off duplicate Name even if it is by different user, I am not even sure if i need to use Stats dc but I dont want to see duplicate value in the table

if i dont use | stats values(id) as -__Name i'm getting results but duplicate as well

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...