Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats count for multiple columns in query

bawan
New Member
‎01-22-2018 04:16 AM

Hello All,

I have query which is returning below result sets in table :Field1, Field2, Field3 are headers and BLANK,NO-BLANK are respective values

Field1, Field2, Field3
BLANK, NO-BLANK,BLANK
NO-BLANK,NO-BLANK,BLANK
BLANK,NO-BLANK,BLANK
NO-BLANK,NO-BLANK,BLANK
BLANK,BLANK,BLANK

i want to show result as :

COLUMN BLANK_COUNT NO-BLANK_COUNT
Field1 3 2
Field2 1 4
Field3 5 0

Please help me to build query to show output in above format.
Thanks,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-22-2018 07:29 AM

Give this a shot:

your base query
| eval temp=1 
| untable temp column val 
| stats count(eval(val="BLANK")) AS BLANK_COUNT count(eval(val="NO-BLANK")) AS NO-BLANK_COUNT BY column

View solution in original post

Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-22-2018 07:29 AM

Give this a shot:

your base query
| eval temp=1 
| untable temp column val 
| stats count(eval(val="BLANK")) AS BLANK_COUNT count(eval(val="NO-BLANK")) AS NO-BLANK_COUNT BY column
Reply
Solved! Jump to solution

bawan
New Member
‎01-22-2018 09:25 PM

GREAT.. it works...

Thanks a lot.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎01-22-2018 07:17 AM

Hi @bawan,
After much trials and errors i finalised below query....have a look

<splunkquery> | table Field1 ,Field2,Field3| replace BLANK WITH 1
| transpose| addtotals row* fieldname="BLANK_COUNT"
| replace 1 with BLANK| replace NO-BLANK WITH 1| addtotals row* fieldname="NO-BLANK_COUNT"
| fillnull
| table column BLANK_COUNT NO-BLANK_COUNT

Let me know if it helps!

0 Karma
Reply
Solved! Jump to solution

bawan
New Member
‎01-22-2018 09:31 PM

Thanks for your query,
It showing correct result for No-blank count but Its not showing for Blank count result.

As, may be due to some fields don't have values for Blank count.

I use above solution provided by elliotproebstel.

0 Karma
Reply
Solved! Jump to solution

bawan
New Member
‎01-22-2018 05:13 AM

Query is :

splunkqry | table field1,field2,field3
will show below output :
Field1, Field2, Field3
BLANK, NO-BLANK,BLANK
NO-BLANK,NO-BLANK,BLANK
BLANK,NO-BLANK,BLANK
NO-BLANK,NO-BLANK,BLANK
BLANK,BLANK,BLANK
.
.
.

as I have around 5000 values for all fields hence can not use transpose after table query.

| stats count(field1) by field1 will give values for field1 as count for BLANK and NO-BLANK
I want count for all fields. I have tried append as well but didn't work.

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎01-22-2018 05:04 AM

Please share your query , meanwhile have you explored the transpose function?
| transpose

0 Karma
Reply
Solved! Jump to solution

bawan
New Member
‎01-22-2018 05:16 AM

Query :

splunkquery | table Field1 ,Field2,Field3

It will work for Fileld1 as stats count(Field1) by Field1 . but I want it for Field2 and Field3 as well.

I have used transpose but no luck.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...