Splunk Search

Aggregate only some results

PickleRick
SplunkTrust
SplunkTrust

I'll probably find my solution finally but if someone has something at hand, I'd be grateful for sharing :slightly_smiling_face:

I have some results. Let's say they are like this:

CountFieldAFieldB
11a 
12b 
34c1
54d1
462e 
0f3
12g3
4h3

 

I would like the values from the count column summed up but only for the events that have FieldB defined. For the rest, I want them lest split by FieldA. For those summed up I want the FieldA to be aggregated into a multivalue field

So effectively the output should be like

CountFieldAFieldB
11a 
12b 
88c
d
1
462e 
16f
g
h
3

 

OK. I think I can get it done by adding another column being created conditionally either from fieldA or fieldB, then aggregating by this field. Something like this:

<initial search>
| eval tempfield=if(isnull(fieldB),"fieldA-".fieldA,"fieldB-".fieldB)
| stats sum(count) as count values(fieldA) as fieldA values(fieldB) as fieldB by tempfield
| fields - tempfield

Any nicer way?

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Not sure if this is nicer, but would this work?

| eventstats sum(Count) as AllCount values(FieldA) as AllFieldA by FieldB
| eval Count=if(isnull(FieldB),Count,AllCount)
| eval FieldA=if(isnull(FieldB),FieldA,AllFieldA)
| dedup FieldA
| table Count FieldA FieldB

PickleRick
SplunkTrust
SplunkTrust

Seems to produce the same results  although no offence but I since those temporary fields are getting quite huge I'd not call that nicer :winking_face:

But it's an interesting approach. I keep forgetting about eventstats. Thanks for the insight!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...