Splunk Search

After running a "stats count by fields" search, is there a way to search on the tabled results?

satya2p
Path Finder

I wrote a search and used stats count by to display records. Now I have thousands of records and I would like to know if Splunk has search features on tabled records. We are using 6.3 version. If it's not available can it be created using a script? Please help.

0 Karma

koshyk
Super Champion

Instead of "stats" , use "eventstats". Then you can have original event with stats data coming as well
Please check this article: http://blogs.splunk.com/2014/04/01/search-command-stats-eventstats-and-streamstats-2/

somesoni2
Revered Legend

Not sure if I completely understood the requirement here. If your query is like this base search | stats count by somefield(s), then you can add a search/where command at the end to search/filter results based on available fields.( e.g. base search | stats count by somefield(s) | search field1=value1...)

satya2p
Path Finder

Hi Somesh, I am looking search on tabled command. Lets say you got results and displaying in splunk interface as column X, Y, Z etc. I have thousand of records in single column which i need not do change just wanted to have additional search on column to filter. hope I am clear :slightly_smiling_face:

sundareshr
Legend

Try this

base search | stats values(somefield) as mvfield | eval mvfield=mvfind(mvfield, "MATCHING_REGEX")
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...