topic Re: stats usage to display output as follows in Splunk Search

stats usage to display output as follows

rakesh_498115 — Mon, 25 Jun 2012 18:55:18 GMT

I have a table like this ..

Table 1 : Information to be searched

**Company A | Company B

abc xyz
lmn pqr
def pgf**

Where the values mentioned inside the table are searchparameters . Now i need the count of the search parameters in splunk like this ..

Table 2: Output
Company A | Count A | Company B | Count B
abc 30 xyz 10
lmn 40 pqr 23

def 50 pgf 29

my sourcetype is "A".

sourcetype="A" abc | stats count as Count A

has given abc count..I need count for all the values in A and B mentioned in Table 1 as in Table 2.i.e Table 2 should be the output for my search results...How do i accomplish this..please help..

Re: stats usage to display output as follows

Ayn — Mon, 25 Jun 2012 19:12:54 GMT

Explain the table more clearly. Is the table itself one single event in the input? How exactly does the raw data that you're operating on look like?

Re: stats usage to display output as follows

rakesh_498115 — Fri, 29 Jun 2012 13:15:42 GMT

the raw contains these terms abc ,xyz, lmn, pqr, def pgf . where abc lmn def belong to company A and xyz pqr def belong to company B. Now i need to know the count of these searchs like the table showed above...

Re: stats usage to display output as follows

piebob — Wed, 14 Nov 2012 00:15:15 GMT

hi! i will award a 50 karma bounty to the first person to provide a good/correct answer to this question!

Re: stats usage to display output as follows

yannK — Wed, 14 Nov 2012 00:34:50 GMT

Quick and dirty answer for the bounty reward. " dead or alive"

sourcetype="A" NOT "companyA" NOT "------" | rex "^(?<companyA>[^\s]*) (?<companyB>\w+)$" | stats dc(companyA) count(companyA) dc(companyB) count(companyB)

Re: stats usage to display output as follows

alacercogitatus — Wed, 14 Nov 2012 19:10:30 GMT

While yannK has provided a "quick and dirty", (and I borrowed portions of his answer), I think this may be closer to what you want because of the need to count by the value of companyA and companyB. This is by no means optimized, but outputs a table as seen below the search.

sourcetyp="A" NOT "companyA" NOT "-------" | rex field=_raw "^(?<companyA>[^\s]+)(?<companyB>.*)$"|stats count(companyA) by companyA | appendcols [search sourcetyp="A" NOT "companyA" NOT "-------" | rex field=_raw "^(?<companyA>[^\s]+)(?<companyB>.*)$"|stats count(companyB) by companyB]

My Results Table

companyA count(companyA) companyB count(companyB) abc 3 pgf 2 def 2 pqr 3 lmn 2 xyz 2

My Sample Data

Company A | Company B abc xyz lmn pqr def pgf abc pqr

Re: stats usage to display output as follows

yannK — Thu, 15 Nov 2012 18:49:50 GMT

nice complete answer.

Re: stats usage to display output as follows

alacercogitatus — Thu, 15 Nov 2012 18:54:05 GMT

I only have my answer because of you answer 😄

Re: stats usage to display output as follows

jerrythomasnyk — Fri, 16 Oct 2015 12:09:50 GMT

Hello, I have browsed most of your posts. This post is probably where I got the most useful information for my research. Thanks for posting, maybe we can see more on this. Are you aware of any other websites on this subject. Kartikeya Sharma & Robert Vadra