Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Group Different Sources in One Query

a0491455
Observer
‎07-14-2021 07:14 AM

Hello,

 

I'm running Splunk 8.1.2 and I'm trying to group different sources of an Index to count them within one query.

The following fields are what I'm trying to group:
index: license_compliance

fields:
- prod 

- dev

- other (anything that does not end in prod or dev)

 

 

index=license_compliance OR source="/license_compliance-splunk-data/iCinga_ingest/*"
| rex field=source "\/license_compliance-splunk-data\/iCinga_ingest\/(?<log_source>\w)" 
| eval log_source="iCinga_ingest".log_source 
| stats dc(source)
| dedup source, name
| timechart span=1d count(name) by source

 

 

 The data looks like this currently:

"/license_compliance-splunk-data/iCinga_ingest/iCingaDev_2021-07-07.csv"

I would like to get something like this:

 

 

07/07:
iCinga_Prod: 5
iCinga_Dev: 0
iCinga_Other: 2

 

 

Thanks in advance!

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2021 08:31 AM

The dedup command is redundant when stats is used and timechart often (but not always) is redundant to stats.  Have you tried just timechart?

 

index=license_compliance OR source="/license_compliance-splunk-data/iCinga_ingest/*"
| rex field=source "\/license_compliance-splunk-data\/iCinga_ingest\/(?<log_source>\w)" 
| eval log_source="iCinga_ingest".log_source 
| timechart span=1d count(name) by log_source

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

a0491455
Observer
‎07-14-2021 08:53 AM

This unfortunately did not work for me. The code works the same with or without the "rex" command in this case.

My assumption is that the data format (the example I posted was "/license_compliance-splunk-data/iCinga_ingest/iCingaDev_2021-07-07.csv") is not being read and grouped (because it's automated for once every 24hr) by the current query.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2021 10:58 AM

Please try my edited answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...