Dashboards & Visualizations

How to group a table by multiple fields, dynamically?

sstruecker
Engager

Hey,

So i have to group a list of events based on one or more categories.
It should look like this:

row…..time.....status..….logLevel…...component
1...…...25…….failed…....INFO………sample
………..24…….failed…...WARN……..context
2.........19…….syn………INFO……….lightbulb
.....……21…….syn……...ERROR…..example
…...…..28…….syn……..INFO……….sample2
(grouped by status)

row…..time.....status..….logLevel…...component
1...…...25…….failed…....INFO………sample
………..24…….failed…...WARN……..context
2...……21…….syn……...ERROR…..example
3.........19…….syn………INFO……….lightbulb
…...…..28…….syn……..INFO……….sample2
(grouped by status and logLevel)

I basically want to group the elements via a token which states the field names to group by.
And the real problem has more fields, around 17-20.

I hope you can help me.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@sstruecker,

If you want the user to select group by field, you may add a multiselect input and populate them with the values based on dynamic search and delimit with them comma(,)

Here is a run anywhere example with static inputs. You can change that to dynamic using search

<form>
  <label>Token based Dashboard</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="groupby">
      <label>Group by Columns</label>
      <choice value="host">Host</choice>
      <choice value="sourcetype">Sourcetype</choice>
      <choice value="index">Index</choice>
      <choice value="source">Source</choice>
      <default>sourcetype</default>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_*| stats count by $groupby$</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!
0 Karma

sstruecker
Engager

unfortunatly this doesnt solve my Problem. because i want the other fields to be in the result, as well as i dont want a Count field in the result.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

This is just an example and you can add any fields in the result and count is not mandatory. However for group by you need an aggregation function like count,min,max,values etc. If you could share you current search (after masking any sensitive data) , that would be helpful

Happy Splunking!
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@sstruecker, on what basis you decide on the group by fields ? are there any specific pattern or you want all the fields in the result to be part of the group by ? Based on that requirement we might be able to set the token.

Happy Splunking!
0 Karma

sstruecker
Engager

The user decides which field to Group by. I dont think there are any Patterns. It would be nice if you could decide which fields to Group by.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...