Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Bucketing text values

sranga
Path Finder
‎06-04-2010 11:35 PM

Hi

I was wondering if there is a way to use the bucket command on fields that have text values. If not, is there a way to achieve this through other commands?

For example, if I have the following in my log file: 

<time>: id=1, field1=abc, field2=blah, field3=290  
<time>: id=2, field1=def, field2=blah, field3=2  
<time>: id=3, field1=yyy, field2=blah, field3=90  
<time>: id=4, field1=def, field2=blah, field3=9980  
<time>: id=5, field1=zzz, field2=blah, field3=29023  
<time>: id=6, field1=abc, field2=blah, field3=29330

I would like to bucket the results based on the field1 values, something similar to bucket field1 ....

Thanks for your help.

Ranga

0 Karma
Reply

lguinn2
Legend
‎05-21-2012 11:01 AM

Why are you bucketing? If you want to summarize the results in some way, you could do this, for example:

yoursearchhere |
stats count sum(field3) as totalField3 by field1

which would summarize across the entire time period. If you wanted to do it hour-by-hour, you could do something like this

yoursearchhere |
bucket _time span=1h |
stats count sum(field3) as totalField3 by field1 _time
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-07-2010 08:11 PM

You can use the eval command to do this explicitly, for example:

... | eval new_field1 = substr(field1, 0, 1) + "..." | ...

This will create a new field, "new_field1" that will collapse everything past the first character.

Reply

sranga
Path Finder
‎06-08-2010 07:14 PM

Wouldn't this just create a new field with the starting alphabet of field1? How would it bucket the results?

0 Karma
Reply

sranga
Path Finder
‎06-07-2010 05:15 PM

Yes, group by values starting with alphabets.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-05-2010 03:09 AM

It's not clear to me what you mean by this. Do you mean to group, e.g., values that start with A-E, F-K, L-P, etc?

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-04-2010 11:39 PM

Could you be more specific?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...