Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Display the count of a field in a multi value field

Alaza
Explorer
‎03-09-2018 04:39 AM

I have a CSV with 10 values for the field ABLA.
In my events I have a field ALIAS and I want to display on a dashboard the count of events with the ALIAS matching ABLA by time.

index="events_index"

| append [| inputlookup CSV.csv |stats values(ABLA) as liste]
| where alias IN liste

How can I do that ?

Tags (2)
0 Karma
Reply

prabhu77749
Explorer
‎03-14-2018 12:31 PM

index="events_index"

| lookup CSV.csv ALIAS | timechart count by ABLA

ALIAS from events
ABLA from CSV
csv file header format
ALIAS ABLA

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-09-2018 04:48 AM

Hi Alaza,
you should put the csv file in a lookup and then run a search like this:

index="events_index" [ | inputlookup CSV.csv | rename ABLA AS ALIAS | fields ALIAS ]
| ...

In this way tou have filtered events in index="events_index" for each value of field ABLA to use for the following elaborations.
Remember that the result of the subsearch must have the same field name of the main search.

If instead you want to search ABLA values not in ALIAS field but in all the _raw you can run something like this:

index="events_index" [ | inputlookup CSV.csv | rename ABLA AS query | fields query ]
| ...

Bye.
Giuseppe

0 Karma
Reply

Alaza
Explorer
‎03-09-2018 08:19 AM

Thanks but to be more precise, I want to display on a dashboard the count of events with the ALIAS matching ABLA by time.

Example :
Date ALIAS1 ALIAS2 ALIAS3 ALIAS4 ALIAS5 ALIAS6 ALIAS7 ... ALIAS10
09/03/2018 1 4 0 7 2 1 0 3

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-09-2018 08:26 AM

Hi Alaza,
yes, using my filter you have only events that match, then you can display them as you want: by time using timechart, or as stats or listing the events.
The important thing is that you filter events and results are only the ones that matches, e.g.;

index="events_index" [ | inputlookup CSV.csv | rename ABLA AS ALIAS | fields ALIAS ]
| timechart count BY ALIAS

Bye.
Giuseppe

0 Karma
Reply

Alaza
Explorer
‎03-09-2018 08:33 AM

I understand but I want to display the count of event matching for each value of the field ABLA.
If the match result is null I want to display it too.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-09-2018 08:41 AM

Hi Alaza,
if you don't need time in your results you could run a search like this:

index="events_index"
| stats count BY ALIAS
| append  [ | inputlookup CSV.csv | dedup ABLA | rename ABLA AS ALIAS | eval count=0 | fields ALIAS count]
| stats sum(count) AS Total BY ALIAS

in this way you have also the null ALIAS.

it's not so easy to add null values to timechart, I'll try tomorrow.

Bye.
Giuseppe

0 Karma
Reply

Alaza
Explorer
‎03-09-2018 09:37 AM

I see, but yes I need time.

0 Karma
Reply

somesoni2
Revered Legend
‎03-09-2018 12:48 PM

Extending @cusello's answer,

index="events_index" [ | inputlookup CSV.csv | stats count by ABLA | rename ABLA AS ALIAS | fields ALIAS ]
 | timechart count BY ALIAS
| table _time [| inputlookup CSV.csv | stats values(ABLA) as search | nomv search ]
| fillnull value=0
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...