topic Re: Grouping events in Splunk Search

Grouping events

DTERM — Mon, 15 Aug 2011 22:10:25 GMT

How do I develop a query that groups events by product names? I don't know what the product names are. But I need a query that will extract that data and group it.

I've tried using kmeans and transaction but I was not able to get the desired results. Thanks.

Re: Grouping events

Brian_Osburn — Mon, 15 Aug 2011 22:16:40 GMT

Can you give us an example of the data / events you are trying to group?

Re: Grouping events

DTERM — Tue, 16 Aug 2011 14:18:58 GMT

For example, let's say I have products like sendmail, named, and httpd in my logs. These are under a field called productName. I want to be able to create a query that sorts by these productNames. Preferably without using the productNames in the query (but I will if I have to).

Re: Grouping events

Ayn — Tue, 16 Aug 2011 14:31:17 GMT

How do you mean "sort by"? Do you want to join disparate events into one event based on the productName? Or do you want to create statistics based on productName? It's much easier to answer if you can provide us with a clear and concise description of a specific goal you want to achieve, preferrably also with sample log events.

Re: Grouping events

mzorzi — Tue, 16 Aug 2011 23:52:15 GMT

index=* | stats count by productNames | sort -count