Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to build a search that united similar values as one?

test_qweqwe
Builder
‎06-12-2020 04:08 PM
Hello 🙂
 
My output is:
signature, count
BitTorrent DHT ping request, 896
Bittorrent P2P Client User-Agent (uTorrent), 350
BitTorrent DHT announce_peers request, 296
BitTorrent announce request, 201
BitTorrent DHT nodes reply, 121
Observed DNS Query to .biz TLD, 53586
Observed DNS Query to .cloud TLD, 24277
DYNAMIC_DNS Query to, 5896
DynDNS CheckIp External IP Address Server Response, 2894
OpenDNS DNSCrypt, 577
 
I to united similia events and output should be this:
signature, count 
Torrent, 1864
DNS, 87230

Can someone help me with the search pattern that will solve my issue?
One of the main criteria it's should be easy to scale and without the creation of a new field. The transformation should be before I will use command stats.
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

test_qweqwe
Builder
‎06-14-2020 12:27 PM

I did it 😄

| eval signature=if(like(signature,"%orrent%"),"Torrent events", signature)
| eval signature=if(like(signature, "%DNS%"), "DNS events", signature)

View solution in original post

0 Karma
Reply
Solved! Jump to solution

admin12345678
Path Finder
‎06-12-2020 10:02 PM

Try this one.

 

index="test_index" sourcetype="usecase1_csv"
| table signature count
| eval signature=substr(signature,1,1)
| stats list(count) as count by signature
| stats sum(count) as sum by signature

Reply
Solved! Jump to solution

test_qweqwe
Builder
‎06-13-2020 04:50 AM

it will work if I have the same (duplicates) values, no?

For example, I have 5 values that have similar context and I want them united as one:

signature

Jonh is eating

Sara is eating

Josh is eating

Dog

Cat 


Should be like this:

signature

Human

Animals 
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎06-13-2020 05:20 PM 
| makeresults
| eval _raw="signature
Jonh is eating
Sara is eating
Josh is eating
Dog
Cat"
| multikv forceheader=1
| rename COMMENT as "this is your sample. from here, the logic" 
| rex field=signature "(?<type>\S+)(?<other>.*)?"
| eval category=if(other="","animal","human")
| stats count by category
| rename category as signature

Is this the same as the first question?

Reply
Solved! Jump to solution

test_qweqwe
Builder
‎06-14-2020 06:26 AM

Nope.

Okay, I see there is a lot of misunderstanding. I changed my post (:

0 Karma
Reply
Solved! Jump to solution
Solution

test_qweqwe
Builder
‎06-14-2020 12:27 PM

I did it 😄

| eval signature=if(like(signature,"%orrent%"),"Torrent events", signature)
| eval signature=if(like(signature, "%DNS%"), "DNS events", signature)

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2020 05:41 PM
Can you please say more about the transformation? Are "A", "AA", and "AAA" duplicates or something else?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

test_qweqwe
Builder
‎06-12-2020 06:45 PM

Hi rich!

It's different values, but they  have one common keyword.

Also, there will be cases in future when I need to united different values without common keyword as one.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top