Dashboards & Visualizations

How to group a table by multiple fields, dynamically?

sstruecker
Engager

Hey,

So i have to group a list of events based on one or more categories.
It should look like this:

row…..time.....status..….logLevel…...component
1...…...25…….failed…....INFO………sample
………..24…….failed…...WARN……..context
2.........19…….syn………INFO……….lightbulb
.....……21…….syn……...ERROR…..example
…...…..28…….syn……..INFO……….sample2
(grouped by status)

row…..time.....status..….logLevel…...component
1...…...25…….failed…....INFO………sample
………..24…….failed…...WARN……..context
2...……21…….syn……...ERROR…..example
3.........19…….syn………INFO……….lightbulb
…...…..28…….syn……..INFO……….sample2
(grouped by status and logLevel)

I basically want to group the elements via a token which states the field names to group by.
And the real problem has more fields, around 17-20.

I hope you can help me.

0 Karma

renjith_nair
Legend

@sstruecker,

If you want the user to select group by field, you may add a multiselect input and populate them with the values based on dynamic search and delimit with them comma(,)

Here is a run anywhere example with static inputs. You can change that to dynamic using search

<form>
  <label>Token based Dashboard</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="groupby">
      <label>Group by Columns</label>
      <choice value="host">Host</choice>
      <choice value="sourcetype">Sourcetype</choice>
      <choice value="index">Index</choice>
      <choice value="source">Source</choice>
      <default>sourcetype</default>
      <delimiter>,</delimiter>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_*| stats count by $groupby$</query>
          <earliest>-15m</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

sstruecker
Engager

unfortunatly this doesnt solve my Problem. because i want the other fields to be in the result, as well as i dont want a Count field in the result.

0 Karma

renjith_nair
Legend

This is just an example and you can add any fields in the result and count is not mandatory. However for group by you need an aggregation function like count,min,max,values etc. If you could share you current search (after masking any sensitive data) , that would be helpful

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

renjith_nair
Legend

@sstruecker, on what basis you decide on the group by fields ? are there any specific pattern or you want all the fields in the result to be part of the group by ? Based on that requirement we might be able to set the token.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

sstruecker
Engager

The user decides which field to Group by. I dont think there are any Patterns. It would be nice if you could decide which fields to Group by.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...