topic Re: How to group values of the same field and display timechart counts for each group month over month? in Splunk Search

How to group values of the same field and display timechart counts for each group month over month?

tmaltizo — Tue, 01 Nov 2016 17:05:19 GMT

I first need to group values of the same field...

Group1 (values match A1, A2, A3,...)
Group2 (values match B1, B2, B3,...)
Group3 (values match C1, C2, C3,...)

...then, I need to display the counts for each group (Group1, Group2, Group3) month-over-month.

Thanks for any assistance!
Trista

Re: How to group values of the same field and display timechart counts for each group month over month?

jkat54 — Wed, 02 Nov 2016 01:31:45 GMT

 ...| eval group1=if(match(fieldName,"A.*"),1,0) | eval group2=if(match(fieldName,"B.*"),1,0) | eval group3=if(match(fieldName,"C.*"),1,0) | stats count by group*



 The A.*, B.*, & C.* should be regular expressions that match the value of FieldName to the desired/correct group number.


 The stats group* will do the count for each group. 


 The "..." Is where you put your foot search.

FieldName should be the name of the field that contains the data

Let me know if that helps!

Re: How to group values of the same field and display timechart counts for each group month over month?

tmaltizo — Wed, 02 Nov 2016 20:21:51 GMT

Thanks for your response @jkat54!

I tried running specifically the following...

... | eval group1=if(match(message_subject,"CyFin"),1,0) | stats count by group*

I'm getting the error below...

Error in 'eval' command: Regex: nothing to repeat
The search job has failed due to an error. You may be able to view the job in the Job Inspector.

Please advise.....

Re: How to group values of the same field and display timechart counts for each group month over month?

jkat54 — Wed, 02 Nov 2016 20:51:01 GMT

If you put .* in front of and behind CyFin , what happens?

Re: How to group values of the same field and display timechart counts for each group month over month?

tmaltizo — Tue, 29 Sep 2020 11:40:30 GMT

@jkat54

I'm getting numbers for each of the following searches. I just want to put them together in one search and output each count....

Note that asterisks are in the front and back of each string within the quotes and no backslashes.

index=index message_subject="[CyFin" | stats count(message_subject)
index=index message_subject="[CyberIntel Confidential]" | stats count(message_subject)
index=index message_subject="[TNT-" | stats count(message_subject)

Thanks for your continued help!

Re: How to group values of the same field and display timechart counts for each group month over month?

jkat54 — Fri, 04 Nov 2016 00:44:12 GMT

 index=index message_subject="example1" OR message_subject="example2" OR message_subject="example3" | stats count by message_subject

Re: How to group values of the same field and display timechart counts for each group month over month?

jkat54 — Tue, 29 Sep 2020 11:51:55 GMT

If they are all in the same index you can do this:

index=index | stats count by message_subject

index=index message_subject="[TNT-" OR message_subject="[CyberIntel Confidential]" OR message_subject="[CyFin" | stats count by message_subject

If they are in different indexes, you can do this:

index=index1 message_subject="[TNT-" OR index=index2 message_subject="[CyberIntel Confidential]" OR index=index3 message_subject="[CyFin" | stats count by message_subject