Re: Calculating fields by groups of events

andrey2007 · ‎03-07-2013

Hello,
I need to group events by 3 filelds ip,login and city (one group with same login,same ip and same city),
something like this
user1 192.168.1.1 London field4...fieldn
user1 192.168.1.1 London field4...fieldn
user1 192.168.1.1 London field4...fieldn

user1 2.2.2.2 London field4...fieldn
user1 2.2.2.2 London field4...fieldn
....
user10 4.4.4.4 NY field4...fieldn
user10 4.4.4.4 NY field4...fieldn
user10 4.4.4.4 NY field4...fieldn
after this i need to calculate custom fields INSIDE EVERY GROUP, for example sum of events in group with field4`s value=5 or minimal value of fieldn where field4=12.
I tried to use transaction command

| transaction ip, login, city

but I don`t find out how to calculate custom fileds separately for each transaction.

Also, I was looking at stats command, but as I understood, it`s not possible to use eval command inside stats statement.

What`s the best way to do it?

andrey2007 · ‎03-11-2013

i made without transaction command
1st report
...|where field4==12 | stats min(fieldn) by ip, login, city
2nd report
...|where field4==5 | stats count(field4) by ip, login, city
but i need it all in one united report

martin_mueller · ‎03-08-2013

You could do something like this for your two examples:

... | eventstats count(eval(field4==5)) as result by ip login city

... | eventstats min(eval(if(field4==12,fieldn,null))) as min by ip login city

Calculating fields by groups of events

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms