Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Bucketing text values

sranga
Path Finder
‎06-04-2010 11:35 PM

Hi

I was wondering if there is a way to use the bucket command on fields that have text values. If not, is there a way to achieve this through other commands?

For example, if I have the following in my log file: 

<time>: id=1, field1=abc, field2=blah, field3=290  
<time>: id=2, field1=def, field2=blah, field3=2  
<time>: id=3, field1=yyy, field2=blah, field3=90  
<time>: id=4, field1=def, field2=blah, field3=9980  
<time>: id=5, field1=zzz, field2=blah, field3=29023  
<time>: id=6, field1=abc, field2=blah, field3=29330

I would like to bucket the results based on the field1 values, something similar to bucket field1 ....

Thanks for your help.

Ranga

0 Karma
Reply

lguinn2
Legend
‎05-21-2012 11:01 AM

Why are you bucketing? If you want to summarize the results in some way, you could do this, for example:

yoursearchhere |
stats count sum(field3) as totalField3 by field1

which would summarize across the entire time period. If you wanted to do it hour-by-hour, you could do something like this

yoursearchhere |
bucket _time span=1h |
stats count sum(field3) as totalField3 by field1 _time
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-07-2010 08:11 PM

You can use the eval command to do this explicitly, for example:

... | eval new_field1 = substr(field1, 0, 1) + "..." | ...

This will create a new field, "new_field1" that will collapse everything past the first character.

Reply

sranga
Path Finder
‎06-08-2010 07:14 PM

Wouldn't this just create a new field with the starting alphabet of field1? How would it bucket the results?

0 Karma
Reply

sranga
Path Finder
‎06-07-2010 05:15 PM

Yes, group by values starting with alphabets.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-05-2010 03:09 AM

It's not clear to me what you mean by this. Do you mean to group, e.g., values that start with A-E, F-K, L-P, etc?

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 11:39 PM

Could you be more specific?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...