Count a field value for one field, but not for ano...

raby1996 · ‎01-09-2018

Hello All,

I am running a report that uses multiple stats commands to achieve the final output, in this report I have two fields which depend on the number of machines I have. One is what we call runtime which uses all the data for that machine and is the runtime on that code level and is currently correct, the other is current installs for that code level which only uses the most recent file.

The runtime for each machine should go across multiple code levels since it can move from one to another and we want to see the amount of time spent on that code level.
The Install however, should only be counted for the current level, so if a machine was on code level A then B, then B being the most recent should have a single install and A should have 0.

I was attempting the following after my main stats command however it always returns a blank. Are there any suggestions? Thank you!

Main Search..... | appendpipe [ dedup Machine | stats count(Machine) as Real_Count by Code | fillnull value=0]

elliotproebstel · ‎01-09-2018

In this code snippet: dedup Machine | stats count(Machine) as Real_Count by Code are you trying to get a count of the unique Machine values by each Code? If so, you could use this instead: dc(Machine) as Real_Count by Code. I'm having trouble following the rest of your description. Could you include the results of your main stats command and also the command itself? That might help us troubleshoot.

Count a field value for one field, but not for another in Stats

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases