Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to build a search that united similar values as one?

test_qweqwe
Builder
‎06-12-2020 04:08 PM
Hello 🙂
 
My output is:
signature, count
BitTorrent DHT ping request, 896
Bittorrent P2P Client User-Agent (uTorrent), 350
BitTorrent DHT announce_peers request, 296
BitTorrent announce request, 201
BitTorrent DHT nodes reply, 121
Observed DNS Query to .biz TLD, 53586
Observed DNS Query to .cloud TLD, 24277
DYNAMIC_DNS Query to, 5896
DynDNS CheckIp External IP Address Server Response, 2894
OpenDNS DNSCrypt, 577
 
I to united similia events and output should be this:
signature, count 
Torrent, 1864
DNS, 87230

Can someone help me with the search pattern that will solve my issue?
One of the main criteria it's should be easy to scale and without the creation of a new field. The transformation should be before I will use command stats.
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

test_qweqwe
Builder
‎06-14-2020 12:27 PM

I did it 😄

| eval signature=if(like(signature,"%orrent%"),"Torrent events", signature)
| eval signature=if(like(signature, "%DNS%"), "DNS events", signature)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

admin12345678
Path Finder
‎06-12-2020 10:02 PM

Try this one.

 

index="test_index" sourcetype="usecase1_csv"
| table signature count
| eval signature=substr(signature,1,1)
| stats list(count) as count by signature
| stats sum(count) as sum by signature

Reply
Solved! Jump to solution

test_qweqwe
Builder
‎06-13-2020 04:50 AM

it will work if I have the same (duplicates) values, no?

For example, I have 5 values that have similar context and I want them united as one:

signature

Jonh is eating

Sara is eating

Josh is eating

Dog

Cat 


Should be like this:

signature

Human

Animals 
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎06-13-2020 05:20 PM 
| makeresults
| eval _raw="signature
Jonh is eating
Sara is eating
Josh is eating
Dog
Cat"
| multikv forceheader=1
| rename COMMENT as "this is your sample. from here, the logic" 
| rex field=signature "(?<type>\S+)(?<other>.*)?"
| eval category=if(other="","animal","human")
| stats count by category
| rename category as signature

Is this the same as the first question?

Reply
Solved! Jump to solution

test_qweqwe
Builder
‎06-14-2020 06:26 AM

Nope.

Okay, I see there is a lot of misunderstanding. I changed my post (:

0 Karma
Reply
Solved! Jump to solution
Solution

test_qweqwe
Builder
‎06-14-2020 12:27 PM

I did it 😄

| eval signature=if(like(signature,"%orrent%"),"Torrent events", signature)
| eval signature=if(like(signature, "%DNS%"), "DNS events", signature)

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2020 05:41 PM
Can you please say more about the transformation? Are "A", "AA", and "AAA" duplicates or something else?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

test_qweqwe
Builder
‎06-12-2020 06:45 PM

Hi rich!

It's different values, but they  have one common keyword.

Also, there will be cases in future when I need to united different values without common keyword as one.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...