topic Re: Classify results into a defined group in Splunk Search

Classify results into a defined group

tayyujie — Sun, 30 Nov 2014 01:54:03 GMT

I need to group results and give it another name as a result.

For example, I have the following fruits and the number of fruits:
apples 6
oranges 4
grapes 9
watermelons 7
pineapples 5

I would like to group them according to their sizes:
small 9 (consists of grapes)
medium 10 (consists of apples and oranges)
large 12 (consists of watermelons and pineapples)

Edit: I think my previous question is not an accurate representation of how I want my results to look like.

Let me provide another example:
I have the following list:
Parameter Tampering 10
SQL Injection 15
Stealth Commanding 20
URL Access Control 5
Unicode Directory Traversal 25

I need to group them according to the OWASP 2013 list:
Injection (consists of Parameter Tampering, SQL Injection, and Stealth Commanding and etc) 45
Cross Site Scripting (consists of Cross Site Scripting) 0
Insecure Direct Object References (consists of Parameter Tampering, Unicode Directory Traversal, and Stealth Commanding and etc) 55
Missing Function Level Access Control (consists of Unicode Directory Traversal and etc) 25
Cross Site Request Forgery (consists of Cross Site Scripting and Stealth Commanding) 20
...

There are repeated items that I need to group too, so eval case does not work in my case.

I also want to display all the groups, even though they do not return a result.

Re: Classify results into a defined group

lguinn2 — Sun, 30 Nov 2014 08:08:56 GMT

Try this

yoursearchhere
| eval size=case(fruit=="apples" OR fruit=="oranges","medium",
                 fruit=="grapes","small",
                 fruit=="watermelons" OR fruit=="pineapples","large",
                 1==1,"unknown")
| stats sum(numberFruits) as TotalFruits by size

assuming the relevant fields are called fruit and numberFruits

Update: if you want to add the list of fruits, as suggested by @martin_mueller below:

yoursearchhere
| eval size=case(fruit=="apples" OR fruit=="oranges","medium",
                 fruit=="grapes","small",
                 fruit=="watermelons" OR fruit=="pineapples","large",
                 1==1,"unknown")
| stats sum(numberFruits) as TotalFruits values(fruit) as TypesofFruit by size

Re: Classify results into a defined group

tayyujie — Sun, 30 Nov 2014 11:11:04 GMT

Thank you very much! Just wondering if there's any way to enforce displaying of the groups in the search results?

Re: Classify results into a defined group

martin_mueller — Sun, 30 Nov 2014 15:17:59 GMT

You could add values(fruit) to the stats.

Re: Classify results into a defined group

tayyujie — Mon, 01 Dec 2014 03:35:56 GMT

I'm sorry for the mixup, but for the search, it is mandatory for me to display the sizes of the fruits, not the group details.

Re: Classify results into a defined group

tayyujie — Sat, 06 Dec 2014 09:21:35 GMT

Turns out I found out my own answer.

You have to query the results and save it as an event type and tag it with a common name.

And you can display the groups by using the following command (assuming tag name is "owasp"):

<search> tag::eventtype=owasp | stats count by eventtype