Solved: dedup with total counts

phil_dupree · ‎09-22-2016

I have been tasked with building a dashboard which shows the total number of transactions today for each server. I can easily get the distinct servers using dedup; however, I am not sure how to directly get the number of transactions for the day. In order for me to find the number of transactions, I can use eval to subtract the min(ID_Number) from the max(ID_Number) for today; but I cannot figure out how to incorporate this with dedup.

I would like the results to look something like this:

ServerA 105
ServerB 109
ServerC 210

Any assistance is greatly appreciated!

bwooden · ‎09-22-2016

If I understand correctly, one way would be to use the stats to get min & max per server and then use eval command to calculate total transactions for each. Example:

... | stats min(ID_Number) as min_id max(ID_Number) as max_id by server 
    | eval num_transactions = max_id - min_id
    | table server num_transactions

View solution in original post

bwooden · ‎09-22-2016

If I understand correctly, one way would be to use the stats to get min & max per server and then use eval command to calculate total transactions for each. Example:

... | stats min(ID_Number) as min_id max(ID_Number) as max_id by server 
    | eval num_transactions = max_id - min_id
    | table server num_transactions

phil_dupree · ‎09-22-2016

Perfect! Thank you!

richgalloway · ‎09-22-2016

Using stats count(ID_Number) by server should get you the results you seek without dedup.

---
If this reply helps you, Karma would be appreciated.

dedup with total counts

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk