Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Bucketing text values

sranga
Path Finder
‎06-04-2010 11:35 PM

Hi

I was wondering if there is a way to use the bucket command on fields that have text values. If not, is there a way to achieve this through other commands?

For example, if I have the following in my log file: 

<time>: id=1, field1=abc, field2=blah, field3=290  
<time>: id=2, field1=def, field2=blah, field3=2  
<time>: id=3, field1=yyy, field2=blah, field3=90  
<time>: id=4, field1=def, field2=blah, field3=9980  
<time>: id=5, field1=zzz, field2=blah, field3=29023  
<time>: id=6, field1=abc, field2=blah, field3=29330

I would like to bucket the results based on the field1 values, something similar to bucket field1 ....

Thanks for your help.

Ranga

0 Karma
Reply

lguinn2
Legend
‎05-21-2012 11:01 AM

Why are you bucketing? If you want to summarize the results in some way, you could do this, for example:

yoursearchhere |
stats count sum(field3) as totalField3 by field1

which would summarize across the entire time period. If you wanted to do it hour-by-hour, you could do something like this

yoursearchhere |
bucket _time span=1h |
stats count sum(field3) as totalField3 by field1 _time
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-07-2010 08:11 PM

You can use the eval command to do this explicitly, for example:

... | eval new_field1 = substr(field1, 0, 1) + "..." | ...

This will create a new field, "new_field1" that will collapse everything past the first character.

Reply

sranga
Path Finder
‎06-08-2010 07:14 PM

Wouldn't this just create a new field with the starting alphabet of field1? How would it bucket the results?

0 Karma
Reply

sranga
Path Finder
‎06-07-2010 05:15 PM

Yes, group by values starting with alphabets.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-05-2010 03:09 AM

It's not clear to me what you mean by this. Do you mean to group, e.g., values that start with A-E, F-K, L-P, etc?

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 11:39 PM

Could you be more specific?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...