Archive

How to group a table by multiple fields, dynamically?

Engager

Hey,

So i have to group a list of events based on one or more categories.
It should look like this:

row…..time.....status..….logLevel…...component
1...…...25…….failed…....INFO………sample
………..24…….failed…...WARN……..context
2.........19…….syn………INFO……….lightbulb
.....……21…….syn……...ERROR…..example
…...…..28…….syn……..INFO……….sample2
(grouped by status)

row…..time.....status..….logLevel…...component
1...…...25…….failed…....INFO………sample
………..24…….failed…...WARN……..context
2...……21…….syn……...ERROR…..example
3.........19…….syn………INFO……….lightbulb
…...…..28…….syn……..INFO……….sample2
(grouped by status and logLevel)

I basically want to group the elements via a token which states the field names to group by.
And the real problem has more fields, around 17-20.

I hope you can help me.

0 Karma

SplunkTrust
SplunkTrust

@sstruecker,

If you want the user to select group by field, you may add a multiselect input and populate them with the values based on dynamic search and delimit with them comma(,)

Here is a run anywhere example with static inputs. You can change that to dynamic using search

<form>
  <label>Token based Dashboard</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="groupby">
      <label>Group by Columns</label>
      <choice value="host">Host</choice>
      <choice value="sourcetype">Sourcetype</choice>
      <choice value="index">Index</choice>
      <choice value="source">Source</choice>
      <default>sourcetype</default>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_*| stats count by $groupby$</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
0 Karma

Engager

unfortunatly this doesnt solve my Problem. because i want the other fields to be in the result, as well as i dont want a Count field in the result.

0 Karma

SplunkTrust
SplunkTrust

This is just an example and you can add any fields in the result and count is not mandatory. However for group by you need an aggregation function like count,min,max,values etc. If you could share you current search (after masking any sensitive data) , that would be helpful

0 Karma

SplunkTrust
SplunkTrust

@sstruecker, on what basis you decide on the group by fields ? are there any specific pattern or you want all the fields in the result to be part of the group by ? Based on that requirement we might be able to set the token.

0 Karma

Engager

The user decides which field to Group by. I dont think there are any Patterns. It would be nice if you could decide which fields to Group by.

0 Karma