Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get stats based on multiple values for a single source?

Nidheesh
Explorer
‎08-06-2018 06:25 AM

I have 3 sources source1, source2, source3 and 5 sourcetypes sourcetype1, sourcetype2, sourcetype3, sourcetype4, sourcetype5 for a single host host1.

Where sourcetype1 belongs exclusively to source1 and sourcetype2 to source2 but source3 has 3 sourcetypes; sourcetype3, sourcetype4 and sourcetype5.

Likewise, I have 2 sources source4, source5 and 3 sourcetypes sourcetype6, sourcetype7, sourcetype8 for another host host2. With source4 having sourcetype6 and source5 having sourcetype7 and sourcetype8.

I wish to have a stats count like this:

        ---------------------------------------
        host         source      sourcetype
        ---------------------------------------
        host1       source1     sourcetype1
        host1       source2     sourcetype2
        host1       source3     sourcetype3
        host1       source3     sourcetype4
        host1       source3     sourcetype5
        host2       source4     sourcetype6
        host2       source5     sourcetype7
        host2       source5     sourcetype8

Can someone please help?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎08-06-2018 06:44 AM

maybe try this:

.... | stats values(sourcetype) as v_sourcetype by source host

View solution in original post

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎08-06-2018 07:16 AM

It shouldn't be that simple but what's missing from

"your search"|stats count by host,source,sourcetype
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-06-2018 10:28 AM

It is that simple. Or, at least, that meets the request the OP wrote up.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎08-06-2018 06:45 AM

try below if you want count:

...|stats count by sourcetype

and if you want all values as well then try:

...|stats values(*) as * count by sourcetype
Reply
Solved! Jump to solution

Nidheesh
Explorer
‎08-06-2018 10:41 AM

Thank you 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎08-06-2018 06:44 AM

maybe try this:

.... | stats values(sourcetype) as v_sourcetype by source host

0 Karma
Reply
Solved! Jump to solution

Nidheesh
Explorer
‎08-06-2018 10:40 AM

Thank you Adonio. It worked.

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...