topic Re: Grouping multiple times in Splunk Search

Grouping multiple times

raby1996 — Wed, 23 Sep 2015 23:01:57 GMT

Basically I would like to run one stats command where i do some arithmetic and correlation based on one grouping, but i would like to display the results using a different grouping, for example I'm run-in my first stats command grouping by bundle, and display those results grouped by Build.

Thank you

Re: Grouping multiple times

MuS — Wed, 23 Sep 2015 23:10:56 GMT

Hi raby1996,

The important part is to pass on any needed field for the second stats by adding it to the first stats. Try something like this:

your base search here | stats .... by bundle, Build .... | stats ... by Build

Hope this helps ...

cheers, MuS

Re: Grouping multiple times

raby1996 — Wed, 23 Sep 2015 23:32:01 GMT

Hmmmm i might be doing something wrong, here is my first stats

Base Search

| stats values(Group) as Group list("SFI Level") AS LIC2 count list(MTMS) AS MTMS ,list(Build) AS Build list(it2) AS Current_Bundle_Date , list(nowstring) AS Search_Date(Today) , list(TD) AS Difference , sum(TD) AS Sum, by Bundle
| eval MM=Sum/30.4

and my second stats which doesn't give me the right MM

|stats  list(Bundle), list(LIC2),list(Build),list(count), by Group

Basically I want to group differently without it affecting my results from the first stats(specifically MM) if that makes sense?
P.S I apologize I actaully want to group by "Group" i just changed the name in my question to make it less confusing .
Thank you!

Re: Grouping multiple times

raby1996 — Wed, 23 Sep 2015 23:46:35 GMT

Yes you were correct I just had to write and additional stats command with MM included

Re: Grouping multiple times

MuS — Wed, 23 Sep 2015 23:47:48 GMT

hmm looks like I don't get it; those are two different stats by so the result will not be the same?!?

Re: Grouping multiple times

MuS — Wed, 23 Sep 2015 23:58:07 GMT

If this answers your question, please accept the answer - thanks 🙂