Splunk Search
Highlighted

Calculating fields by groups of events

Contributor

Hello,
I need to group events by 3 filelds ip,login and city (one group with same login,same ip and same city),
something like this
user1 192.168.1.1 London field4...fieldn
user1 192.168.1.1 London field4...fieldn
user1 192.168.1.1 London field4...fieldn

user1 2.2.2.2 London field4...fieldn
user1 2.2.2.2 London field4...fieldn
....
user10 4.4.4.4 NY field4...fieldn
user10 4.4.4.4 NY field4...fieldn
user10 4.4.4.4 NY field4...fieldn
after this i need to calculate custom fields INSIDE EVERY GROUP, for example sum of events in group with field4`s value=5 or minimal value of fieldn where field4=12.
I tried to use transaction command

| transaction ip, login, city

but I don`t find out how to calculate custom fileds separately for each transaction.

Also, I was looking at stats command, but as I understood, it`s not possible to use eval command inside stats statement.

What`s the best way to do it?

Tags (1)
0 Karma
Highlighted

Re: Calculating fields by groups of events

SplunkTrust
SplunkTrust

You could do something like this for your two examples:

... | eventstats count(eval(field4==5)) as result by ip login city

... | eventstats min(eval(if(field4==12,fieldn,null))) as min by ip login city
0 Karma
Highlighted

Re: Calculating fields by groups of events

Contributor

i made without transaction command
1st report
...|where field4==12 | stats min(fieldn) by ip, login, city
2nd report
...|where field4==5 | stats count(field4) by ip, login, city
but i need it all in one united report

0 Karma