Re: Report using Splunk

abhayneilam · ‎10-16-2012

I have a file which contains :
Name,age,location,SEARCH
abhay,24,kolkata,XXX
vidu,49,chennaii,YYY
ajay,34,mumbaii,XXX
puja,45,hydrabad,XXX
this,34,mumbai,ZZZ
sure,34,kolkata,YYY

Now, i want to output like :

XXX 3
YYY 2
ZZZ 1

means first field will have the KEYWORD list and second field will have the count

Wilcooley · ‎10-16-2012

| inputlookup (or inputcsv) foo.csv | search SEARCH=* | eval SEARCH=lower(SEARCH) | stats count by SEARCH

Wilcooley · ‎10-18-2012

@abhayneilam: Does this answer your question? If so, could you mark it as such?

Wilcooley · ‎10-16-2012

I've updated with these 2 additional constraints.
By "delete if any blank line" do you mean the whole line could be blank or just the "SEARCH" column? The first case should be handled automatically; the "search SEARCH=*" should work for the latter.

abhayneilam · ‎10-16-2012

and also i would like to delete if any blank line is there

abhayneilam · ‎10-16-2012

if my SEARCH field is :

XXX
xXx
xxx
XXx
XxX
XXX

then, i want to count XXX as 6 in this case but here all are coming different count...

Report using Splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation