Splunk: count by Id

0
votes

I did a query in Splunk which looks like this:

source="/log/ABCDE/cABCDEFGH/ABCDE.log" doSomeTasks

I now want to count the entries in the logfile by Id (Id is an extracted field). But I only want to count every Id once and not every time when doSomeTasks is executed. How could I do this?

1
splunk

1 Answers

2
votes

To count unique instances of field values, use the distinct_count or dc function.

source="/log/ABCDE/cABCDEFGH/ABCDE.log" doSomeTasks
| stats dc(Id) as IdCount