Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I create a report where values are grouped by a subgroup?

yk010123
Path Finder
‎04-12-2022 05:24 PM

I have the following data : 

 

ServiceMessage
Service1Hello world
Service2Another message
Service1Hello world
Service1Some other message

 

How can I write a report such that the final output looks like : 

Service

Message : count

 

For example, with the data above, it should be : 

Service1

Hello world : 2

Some other message : 1

Service 2

Another message : 1

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-12-2022 10:16 PM

Try this search:

<your current search>
| stats count by Service, Message

 

If you want a different format:

<your current search>
| stats count by Service, Message
| eval Message = Message." (".count.")"
| stats list(Message) by Service

 

I hope this helps!!!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-12-2022 10:28 PM

@yk010123 

Can you please try this?

 

YOUR_SEARCH
| stats count by Service Message 
| eval dummy=Message.":".count 
| stats list(dummy) As dummy by Service  
| eval value=mvappend(Service,dummy," ")
| mvexpand value
| table value

 

 

My Sample Search :

| makeresults 
| eval _raw="Service	Message
Service1	Hello world
Service2	Another message
Service1	Hello world
Service1	Some other message" 
| multikv forceheader=1 
| table Service Message 
| rename comment as "Upto now is for sample data only" 
| stats count by Service Message 
| eval dummy=Message.":".count 
| stats list(dummy) As dummy by Service  
| eval value=mvappend(Service,dummy," ")
| mvexpand value
| table value

 

Screenshot 2022-04-13 at 10.58.08 AM.png

 

Thanks
KV


If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-12-2022 10:16 PM

Try this search:

<your current search>
| stats count by Service, Message

 

If you want a different format:

<your current search>
| stats count by Service, Message
| eval Message = Message." (".count.")"
| stats list(Message) by Service

 

I hope this helps!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...