Splunk Query Count of Count

Question

I want to know the count of a count of a query. The query is

sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count by X_REQUEST_ID | sort - count

enter image description here

So you can see there are multiple rows with the value of 3.

Thanks in advance

score 5 · Accepted Answer · answered Jul 23 '14 at 08:33

You're goal in this particular case is to get a summary of counts for this X_REQUEST_ID field, right?

Let's take your initial query:

sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count by X_REQUEST_ID | sort - count

What we're missing here is how to aggregate against your aggregation. Then, we can sort:

sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count as req_count by X_REQUEST_ID | stats count by req_count | sort - count

Let me know if that works out for you.

score 0 · Answer 2 · answered Jul 12 '14 at 03:54

You could pipe another stats count command at the end of your original query like so:

sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count by X_REQUEST_ID | stats count

This would give you a single result with a count field equal to the number of search results.

score 0 · Answer 3 · answered Jul 12 '14 at 11:11

0

Simple Just pipe your search to stats count.

...your search query|stats count

answered Jul 12 '14 at 11:11

krish3

85
1
1
8

Splunk Query Count of Count

3 Answers3