topic Re: grouping field data and count in Splunk Search

grouping field data and count

ritzz — Wed, 04 Oct 2023 09:32:08 GMT

I have data like provided below:

field A

Field B

Field C

Field D

abc.com

xyz.com

abc.com

xyz.com

def.com

I want to group Field A values such that all abc.com value come in 1 row with associated count.

I want output like

field A	count	Field B	Field C	Field D
abc.com	2	1 1	AB CD	1 1
xyz.com	2	2 2	AB CD	1 1
def.com	1	1	AB CD	0

if I take path of stats count then it split field C and D which I don't want, I want them to be uniquely compared as a group value. looking for suggestions. Thanks in advance.

Re: grouping field data and count

ITWhisperer — Wed, 04 Oct 2023 10:18:26 GMT

Re: grouping field data and count

ritzz — Fri, 06 Oct 2023 14:13:05 GMT

Thanks ! your provided answer worked.

Additionally, explaining for others coming here.

| nomv FieldB —- multivalue command to convert multivalued field to a single value field | nomv FieldC | nomv FieldD | stats count values(*) as * by FieldA —to get count of field values | foreach FieldB FieldC FieldD [| eval <<FIELD>>=split(<<FIELD>>," ")]. —- for every MV field converted to singlevalue field , converting them back to multivalue fields

Re: grouping field data and count

ritzz — Fri, 06 Oct 2023 15:51:59 GMT

after performing the query

my result table is like below

field A	count	Field c	Field D	Field E	Field F
abc.com	2	a b	A B	abc.com bcf.com def.com	sub1 sub 2 sub 3
def.com	4	A B	A B	bcc.com xyz.com	sub 5 sub 6 sub 6
efg.com	6	B A	A B	jhg.com abc.com ghj.com	sub 4 sub 7 sub 8

I want to ask is their anyway/operation that I can perform on field E and field F so that they are throwing unique combination value rather a multivalue filed. Prior performing count operation in query Field E and F are unique but after count they become multi value which In later stage again I want to tke them to their prior state.

such that where field A,B,C,D remains same but Field E & F are divided further in rows on basis of unique combination of values of field E & F ( but parent unique combination of A,B,C,D remains same)

Re: grouping field data and count

ITWhisperer — Fri, 06 Oct 2023 14:32:36 GMT

Can you provide an example of what that would look like?

Re: grouping field data and count

ritzz — Mon, 09 Oct 2023 20:04:39 GMT

something like below where Field A,count,B,C are multivalue existing already calculated fields but additionally Field E and F are divided based on domain ( pre calculation we did in last query) but in domain signifying their unique combination values.

Re: grouping field data and count

ITWhisperer — Tue, 10 Oct 2023 07:23:31 GMT

Yeah, you can't do that. Each "row" is an event, a stats event. You can't split the event part way through. You would need to create a new event e.g.

would become