Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to divide field values into groups depending on a different field?

nikita012
New Member
‎06-19-2019 05:09 AM

I have 2 fields.

**Store Minutes**
81145 22
81234 31
81145 38
87654 35
81234 22
81145 10
87654 13

The data should be divided in two buckets. The first bucket contains number of times when Minutes was less than 20. The other bucket contains number of times when Minutes was between 20 and 40 as shown below.

I want the data to be divided in the below format.

Store Bucket1 Bucket2
81145 1 2
81234 0  2
87654 1  1

Can you please provide code for the same.

0 Karma
Reply

adonio
Ultra Champion
‎06-19-2019 09:03 AM

here is another version using the bin command
it can scale if for example you have values above 40

  | makeresults 
    | eval _raw="Store Minutes
     81145 22
     81234 31
     81145 38
     87654 35
     81234 22
     81145 10
     87654 13
     81145 22
     81234 11
     81145 28
     87654 38
     81234 72
     81145 70
     87654 53" 
    | multikv 
    | table Store Minutes 
    | bin Minutes span=20 as bucket
    | chart count over Store by bucket

hope it helps

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-19-2019 05:37 AM

Hello @nikita012,

Try this query:

| stats list(Minutes) as Minutes by Store
| eval bucket1=mvfilter(Minutes<=20)
| eval bucket2=mvfilter(Minutes>20 AND Minutes<40)
| eval bucket1=mvcount(bucket1)
| eval bucket2=mvcount(bucket2)
| fillnull bucket1,bucket2 value=0
| table Store, bucket1, bucket2
0 Karma
Reply

renjith_nair
Legend
‎06-19-2019 05:33 AM

@nikita012 ,

Try

your base search |stats count(eval(Minutes<20)) as Bucket1,count(eval(Minutes>20)) as Bucket2 by Store
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-19-2019 05:31 AM

@nikita012

Can you please try this?

YOUR_SEARCH | eval Bucket=case(Minutes<20,"Bucket1",Minutes<40,"Bucket2") | chart count over Store by Bucket

Sample search:

| makeresults | eval _raw="Store Minutes
81145 22
81234 31
81145 38
87654 35
81234 22
81145 10
87654 13" | multikv | table Store Minutes | eval Bucket=case(Minutes<20,"Bucket1",Minutes<40,"Bucket2") | chart count over Store by Bucket

Thanks

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...