Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

groupby against raw data from multiple logs

Lax
Explorer
‎10-26-2023 12:18 PM

I have multiple strings as below in various log files. Intention is to retrieve them in a table and apply group by.

Satisfied Conditions: XYZ, ABC, 123, abc
Satisfied Conditions: XYZ, bcd, 123, abc

Satisfied Conditions: bcd, ABC, 123, abc

Satisfied Conditions: XYZ, ABC, 456, abc

then output shall be:

ConditionCount
XYZ3
ABC3
abc4
bcd2
1233
4561

 

I am almost there till retrieving data column wise but not able to get it. Any inputs here would be helpful.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-31-2023 12:28 AM

Hi @Lax ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

View solution in original post

Reply
Solved! Jump to solution

Lax
Explorer
‎10-27-2023 07:15 AM

Thank you @ITWhisperer and @gcusello for the prompt response and great inputs.

I have these strings (ex: Satisfied Conditions: XYZ, ABC, 123, abc) across thousands of log files. How do it get them into a single bucket at runtime so I can apply the logic to split and group by.

0 Karma
Reply
Solved! Jump to solution

Lax
Explorer
‎10-30-2023 07:20 PM

Thank you @ITWhisperer and @gcusello. It is working now.

If anything more is required, I will get back. Thanks again.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-31-2023 12:28 AM

Hi @Lax ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-27-2023 11:10 PM

Hi @Lax ,

as me and @ITWhisperer said: if you could share some samples of your logs we could be more detailed.

The final parte of the search will surely be the tats command, but how to arrive to it depends on how data are in your logs.

We need of samples to understand how to separate eventual multiple values in single values to group using stats.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2023 07:20 AM

Just as I showed in my example. If you need it adapted for your events, and need help with that, you will need to provide anonymised examples of your events for us to work with.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2023 01:30 AM

As @gcusello says, stats will count the occurrences easily, but only if they are in a multi-value field, so it depends on how your data is actually represented. The following runanywhere example uses the lines you gave as an example as the starting point, but your actually data may be different to this.

| makeresults
| eval _raw="Satisfied Conditions: XYZ, ABC, 123, abc
Satisfied Conditions: XYZ, bcd, 123, abc
Satisfied Conditions: bcd, ABC, 123, abc
Satisfied Conditions: XYZ, ABC, 456, abc"
| multikv noheader=t
| rename _raw as Condition
| table Condition
``` The lines above set up some dummy data - possibly similar to your post? ```
``` First split out the conditions ```
| eval Condition=mvindex(split(Condition,": "),1)
``` Second split the conditions into a multi-value field ```
| eval Condition=split(Condition,", ")
``` Now stats can count the occurrences of the conditions ```
| stats count by Condition

ITWhisperer_0-1698395437407.png

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-26-2023 11:14 PM

Hi @Lax,

grouping by Condition is easy, you have to use the stats command.

<your_search>
| stats count BY Condition

The real question is how do you have there values in Condition field: in every event there's only one value or more values, if more values, how they are grouped (in the event), are they in json format?

I could be more detailed if you could share some sample of your logs.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...