- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I get a stats count number of events i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I get a stats count number of events in a field?
how to do a - stats count number of events in a field?
index=sm auth | status count(events) by Field.
is not working.
Thanks
Kiran
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try
| tstats count where index=sm- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Came across this while looking and saw it was still unresolved. In essence, you are asking to provide count by Field. You will have to specify field as you cannot simply ask to display count by field. The example below takes data from index=sm where "auth" is present and to provide number of events by host,user
For example:
index=sm auth | stats count by host, user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stats count by field - gives me each event in that field and its count. i dont want that. i just want the number of events in that field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The | stats count by Field will provide you field value and count of events which have that value. Could you provide what you expect with some example data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not entirely sure what you mean by "number of events in a field", but counting events simply works by doing "count", like:
index=sm auth | stats count by Field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stats count by field - gives me each event in that field and its count. i dont want that. i just want the number of events in that field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you by any chance post some screenshot of the result you get and then describe the desired outcome, because I still don't understand what you mean by "the number of events in that field" and what you mean by that stats command returns each event AND its count.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you tried this:
index=sm | stats count by Field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
stats count by field - gives me each event in that field and its count. i dont want that. i just want the number of events in that field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so are you expecting total number of events then try simply stats count like:
index=sm auth | stats count
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
