Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Converting subsearch to a search with count and distinct count

cpeteman
Contributor
‎07-16-2013 10:38 AM

So I have two searched joined together that works great, Unfortunately the subsearch reaches the time limit even on fast mode especially since I need to run the search over 3 years. I'd like a way to get rid of the subsearch while keeping the end results the same.

search_term1 nid="*" 
| dedup nid | search NOT hostname="*" 
| rex field=nid "(?<ip>.*)@(?<network>.*)" 
| stats count AS nid_count by network 
| join [search search_term1 nid="*" NOT hostname="*"
    | rex field=nid "(?<ip>.*)@(?<network>.*)"
    | stats count AS event_count by network]

Let me know if you have questions or need any more information.

Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-16-2013 10:45 AM

Try this

search_term1 nid="*" NOT hostname="*"
| rex field=nid "(?<ip>.*)@(?<network>.*)"
| stats count AS event_count distinct_count(nid) as nid_count by network

It should run much faster, as well as avoiding the subsearch limits.

View solution in original post

Reply
Solved! Jump to solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎07-16-2013 10:50 AM

Maybe I am reading this wrong but you are basically looking to get a distinct count on the nid field and also combine that with an overall event count by network?

search search_term1 nid="*" NOT hostname="*"
| rex field=nid "(?<ip>.*)@(?<network>.*)"
| stats dc(nid) as nid_count count AS event_count by network
Reply
Solved! Jump to solution

okrabbe_splunk
Splunk Employee
Splunk Employee
‎07-16-2013 10:53 AM

ok! I see lguinn already answered you question.

0 Karma
Reply
Solved! Jump to solution

cpeteman
Contributor
‎07-16-2013 10:52 AM

Yes. That's pretty much what I was doing.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-16-2013 10:45 AM

Try this

search_term1 nid="*" NOT hostname="*"
| rex field=nid "(?<ip>.*)@(?<network>.*)"
| stats count AS event_count distinct_count(nid) as nid_count by network

It should run much faster, as well as avoiding the subsearch limits.

Reply
Solved! Jump to solution

cpeteman
Contributor
‎07-16-2013 10:49 AM

That works great! I switched the stats commands at the end to get the fields in the same order but otherwise perfect.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...