topic Re: stats count by fieldnames (not field strings) in Splunk Search

stats count by fieldnames (not field strings)

stephenreece — Wed, 15 Apr 2020 08:57:10 GMT

hi all,

bit of a strange one...

The business has put a descriptor of the product as a field name and it would be really useful to stats count by all field names (multiple parent and child categories. I don't really care about the string within the field at this point, i just care that the field appears.

For example

events and field{string} could be:
- name = {testName}
- address = {testAddress}
- address = {testAddress}
- postcode = {testPC}
- name = {testName}
- product = {testProduct}

So my search should produce the following results

eventName statscount
name 2
address 2
postcode 1
product 1

any ideas would be great...

just to add complexity.... there are child categories which goto 3 levels
i.e. product.group.entity = {test entity}

so ideally i'd capture ALL fieldnames in the one search (i will clean it later as long as i can get the logic right.

Re: stats count by fieldnames (not field strings)

stephenreece — Wed, 15 Apr 2020 09:13:35 GMT

hi all... its almost like i need to do a fieldsummary table but only look at counting fields that sit under a parent field of say data.

for example:
data.name
data.address
data.address.postcode
data.product
data.product.group.entity

(i need to count all those fields about by their fieldname

Re: stats count by fieldnames (not field strings)

DalJeanis — Wed, 15 Apr 2020 15:29:16 GMT

You almost had it. Try something like this:

   your base search
   | table data.*
   | rename data.* as *
   | eval junk=1
   | untable junk fieldname fieldvalue
   | stats count by fieldname

Re: stats count by fieldnames (not field strings)

stephenreece — Thu, 16 Apr 2020 05:18:21 GMT

fantastic... thanks very much.... i was going to go along the spath route just for quickness but that would mean writing out each variation by hand... this is such an efficient was to searchl.... KUDOS