Reporting

How to count events sorting by count in a multivalue fields

cindygibbs_08
Communicator

Hello guys I have this SPL

 

 

 

 

| stats count(events) by type process

 

 

 

 


and it gives me something CORRECT like this:

PROCESSTYPE OF ALERTCOUNT
ARED FLAG458
AISJD5245
AIOO21452
AXCNCNC125
BLPOLSSS21
BSSSSSS584
BRED FLAG284
BISJD455
CRED FLAG255214
CISJD55551
CIOO8569

 

but when I do this:

 

 

 

 

| stats count(events) by type process
| stats values(*) as * by process

 

 

 

 


I get something incorrect because the type or erros do not correspond witht he count field next to them because splunk seems to order the m in anotehr fashion, like this for example which is not correct

PROCESSTYPE OF ALERTCOUNT
AIOO                        ISJD                      RED FLAG    XCNXNX125             5245              458         21452

and so the rows for B and C will also be mixed up


I will like to have them showm like this: WHICH is correct

Captura.PNG

 

is there  a proper way to do that guys THANK you so much in advance!

kindly
C

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try just listing the fields that you are interested in.

| stats count(events) as count by type process
| stats list(type) as type list(count) as count by process

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

values will sort the multi-values lexicologically (and remove duplicates) whereas list will maintain the order and preserve all values

| stats count(events) by type process
| stats list(*) as * by process

cindygibbs_08
Communicator

@ITWhisperer  hello  dearest! First thanks for the explanation between list and values I actually did use list before but for some reason this command always returns some "gibberish" values in the list field such as:

"Splusk_x67383_ap_73828828383" 

 

But I know this is something from splunk or maybe is something with my version of splunk because this weird things do not appear when I use values... Is it because I have splunk 8?

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try just listing the fields that you are interested in.

| stats count(events) as count by type process
| stats list(type) as type list(count) as count by process

kamlesh_vaghela
SplunkTrust
SplunkTrust

@cindygibbs_08 

Can you please try this?

YOUR_SEARCH
| sort PROCESS - COUNT
| autoregress PROCESS p=1 as pre_PROCESS
| eval PROCESS=case(isnull(pre_PROCESS),PROCESS,PROCESS!=pre_PROCESS,PROCESS,1=1,null()) | fields - pre_PROCESS
| eval PROCESS=if(isnull(PROCESS),TYPE_OF_ALERT,PROCESS)
| eval TYPE_OF_ALERT=if(PROCESS=TYPE_OF_ALERT,COUNT,TYPE_OF_ALERT)
| eval COUNT=if(COUNT=TYPE_OF_ALERT,null(),COUNT)

 

My Sample Search :

| makeresults | eval _raw="PROCESS	TYPE OF ALERT	COUNT
A	RED FLAG	458
A	ISJD	5245
A	IOO	21452
A	XCNCNC	125
B	LPOLSSS	21
B	SSSSSS	584
B	RED FLAG	284
B	ISJD	455
C	RED FLAG	255214
C	ISJD	55551
C	IOO	8569"| multikv forceheader=1
|table PROCESS TYPE_OF_ALERT COUNT
| sort PROCESS - COUNT
| autoregress PROCESS p=1 as pre_PROCESS
| eval PROCESS=case(isnull(pre_PROCESS),PROCESS,PROCESS!=pre_PROCESS,PROCESS,1=1,null()) | fields - pre_PROCESS
| eval PROCESS=if(isnull(PROCESS),TYPE_OF_ALERT,PROCESS)
| eval TYPE_OF_ALERT=if(PROCESS=TYPE_OF_ALERT,COUNT,TYPE_OF_ALERT)
| eval COUNT=if(COUNT=TYPE_OF_ALERT,null(),COUNT)

 

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

cindygibbs_08
Communicator

@kamlesh_vaghela  thank you so much this definitely works but I feel like I will get a llot of use of this in other problems I have to Solve thank you so much

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...