Splunk Query Count of Count

splunk
Miverson picture Miverson · Jul 11, 2014 · Viewed 7.2k times · Source

I want to know the count of a count of a query. The query is 

sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count by X_REQUEST_ID | sort - count

enter image description here

So you can see there are multiple rows with the value of 3.

Thanks in advance

Answer

henry canivel picture henry canivel · Jul 23, 2014

You're goal in this particular case is to get a summary of counts for this X_REQUEST_ID field, right?

Let's take your initial query:

sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count by X_REQUEST_ID | sort - count

What we're missing here is how to aggregate against your aggregation. Then, we can sort:

sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count as req_count by X_REQUEST_ID | stats count by req_count | sort - count

Let me know if that works out for you.

Related questions

What does (?i) and ?@ in this regex mean

In the following regex what does "(?i)" and "?@" mean? (?i)<.*?@(?P<domain>\w+\.\w+)(?=>) I know that "?" means zero or one and that i sets case insensitivity. This regex captures domains from an email address in …

Read More
Splunk how to combine two queries and get one answer

I am very new to Splunk and basically been dropped in the deep end!! also very new to language so any help and tips on the below would be great. The out come i am trying to get is to …

Read More
Filtering splunk results using results of another splunk query

I want to use a query in splunk, extract a list of fields and then use these result fields to further filter my subsequent splunk query. How do I do this?

Read More