Dashboards & Visualizations

How to build a search that united similar values as one?

test_qweqwe
Builder
Hello 🙂
 
My output is:
signature, count
BitTorrent DHT ping request, 896
Bittorrent P2P Client User-Agent (uTorrent), 350
BitTorrent DHT announce_peers request, 296
BitTorrent announce request, 201
BitTorrent DHT nodes reply, 121
Observed DNS Query to .biz TLD, 53586
Observed DNS Query to .cloud TLD, 24277
DYNAMIC_DNS Query to, 5896
DynDNS CheckIp External IP Address Server Response, 2894
OpenDNS DNSCrypt, 577
 
I to united similia events and output should be this:
signature, count 
Torrent, 1864
DNS, 87230

Can someone help me with the search pattern that will solve my issue?
One of the main criteria it's should be easy to scale and without the creation of a new field. The transformation should be before I will use command stats.
Labels (1)
0 Karma
1 Solution

test_qweqwe
Builder

I did it 😄

| eval signature=if(like(signature,"%orrent%"),"Torrent events", signature)
| eval signature=if(like(signature, "%DNS%"), "DNS events", signature)

View solution in original post

0 Karma

admin12345678
Path Finder

Try this one.

 

index="test_index" sourcetype="usecase1_csv"
| table signature count
| eval signature=substr(signature,1,1)
| stats list(count) as count by signature
| stats sum(count) as sum by signature

test_qweqwe
Builder

it will work if I have the same (duplicates) values, no?

For example, I have 5 values that have similar context and I want them united as one:

signature

Jonh is eating

Sara is eating

Josh is eating

Dog

Cat 


Should be like this:

signature

Human

Animals 
0 Karma

to4kawa
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="signature
Jonh is eating
Sara is eating
Josh is eating
Dog
Cat"
| multikv forceheader=1
| rename COMMENT as "this is your sample. from here, the logic" 
| rex field=signature "(?<type>\S+)(?<other>.*)?"
| eval category=if(other="","animal","human")
| stats count by category
| rename category as signature

Is this the same as the first question?

test_qweqwe
Builder

Nope.

Okay, I see there is a lot of misunderstanding. I changed my post (:

0 Karma

test_qweqwe
Builder

I did it 😄

| eval signature=if(like(signature,"%orrent%"),"Torrent events", signature)
| eval signature=if(like(signature, "%DNS%"), "DNS events", signature)

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Can you please say more about the transformation? Are "A", "AA", and "AAA" duplicates or something else?
---
If this reply helps you, an upvote would be appreciated.
0 Karma

test_qweqwe
Builder

Hi rich!

It's different values, but they  have one common keyword.

Also, there will be cases in future when I need to united different values without common keyword as one.

 

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!