Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting rid of subsearch

cpeteman
Contributor
‎07-26-2013 10:53 AM

I feel like this should be a piece of cake with distinct count. I'd like to turn this into a more elegant search:

 searchterms | bucket _time span=1m | stats count by punct,_time |  join [searchterms | stats count by punct| stats sum(count) by punct]

It gets the count of each punct in a given minute along with the total count for that punct over the entire search range.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-26-2013 11:24 AM

Try this

yoursearchhere
| bucket _time span=1m
| stats count as CountForMinute by punct, _time
| eventstats sum(CountForMinute) as CountForPunct by punct

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-26-2013 11:24 AM

Try this

yoursearchhere
| bucket _time span=1m
| stats count as CountForMinute by punct, _time
| eventstats sum(CountForMinute) as CountForPunct by punct
0 Karma
Reply
Solved! Jump to solution

cpeteman
Contributor
‎07-26-2013 11:36 AM

That makes more sense it looks to work now.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎07-26-2013 11:35 AM

I fixed my typo - so the above answer should work now. I was being cute by giving names to the counts, and I outsmarted myself...

Reply
Solved! Jump to solution

cpeteman
Contributor
‎07-26-2013 11:29 AM

This only gives Count for minute strangely it does not seem that eventstats is doing anything

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...