Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group similar results from one field?

MikeB
Path Finder
‎09-30-2021 10:04 AM

Hello! I'm hoping some Splunk masters can help me with what I thought would have been an easy task but I'm very much stuck on it.  How can I group similar starting results into one result within the same field? I have a field that spits out results formatted like this:

index=prod_side sourcetype=prod_one  fail_code=* | table fail_code

Results:

fail_code
c-tr [213]
c-tr [893]
c-tr [309]
e-hw [gold]
e-hw [silver]
e-hw [bronze]
e-pr [vbix]
e-pr [zbix]
g-tr [345]
g-tr [123]
d-st [(intel.arm64) T 123 123]
d-st [(intel.arm64) T 456 456]

I want to group results and count the total for each by the 4 characters before the brackets [ ] begin. The content in the brackets is not relevant to me and can be done away with in the results table:

fail_code_name     value_count
c-tr                                  3
e-hw                               3
e-pr                                 2
g-tr                                  2
d-st                                 2

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2021 10:17 AM

There likely are several ways to do that.  I like to use rex to extract the interesting bits into a separate field and then group by that field.

index=prod_side sourcetype=prod_one  fail_code=*
| rex field=fail_code "(?<fail_code_name>[^\[]+)"
| stats count as value_count by fail_code_name
| table fail_code_name value_count
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2021 10:17 AM

There likely are several ways to do that.  I like to use rex to extract the interesting bits into a separate field and then group by that field.

index=prod_side sourcetype=prod_one  fail_code=*
| rex field=fail_code "(?<fail_code_name>[^\[]+)"
| stats count as value_count by fail_code_name
| table fail_code_name value_count
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

MikeB
Path Finder
‎09-30-2021 10:43 AM

This is fantastic! If I may, how would I write a regular expression to capture groups by the first two characters? Like if I just wanted:

fail_code_name     
c-                                        
d-
e-

I also have several values that are:
c-tr [1234] 
c-tr [6532]
c-ds [4567]
c-pd [8791]
d-st [6549]
d-ty [6321]
d-pr [8912]
e-hw [3691]
e-rt [8742]
e-zx [9911]

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-30-2021 10:54 AM

Regex for first two characters of a string is relatively easy

^.{2}

But I suppose using ane eval with substring function would be marginally more effective (regexps as such are quite a heavy machinery)

Reply
Solved! Jump to solution

MikeB
Path Finder
‎09-30-2021 12:50 PM

Thank you! That was good advice. For future finders of this post you would replace the following:

From: 

| rex field=fail_code "(?<fail_code_name>[^\[]+)"

 

To this: 

| rex field=fail_code "(?<fail_code_name>^.{2}+)"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Blueprints for High-Maturity Operations: Splunk Lantern Articles on SOAR, ES 8.4, ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Simplifying the Analyst Experience with Finding-based Detections

    Splunk invites you to an engaging Tech Talk focused on streamlining security operations with ...

[Puzzles] Solve, Learn, Repeat: Word Search

This challenge was first posted on Slack #puzzles channelThis puzzle is based on a letter grid containing ...