Splunk Search

Can I create a new field for each value contained in an existing field?

mrfredman
Path Finder

Hi,

I'm a bit unsure how to go about this, but essentially I'd like to create a new field for each value contained in an existing field.

I have a field that we'll call name containing several hundred entries. I'd like to create a new value for each field in name containing the count of all entries associated with that name.

In pseudo-code, I imagine it working something like this:
stats count(eval(name=n)) as "n" creating a new n for every value contained in name.

Is this possible?

Can I loop a statement, populating n with a new value each time?

Tags (4)
1 Solution

ramdaspr
Contributor
chart count(name) over date by name 

should give a line graph with lines for names and count as Y Axis and Date as the X-axis

View solution in original post

ramdaspr
Contributor
chart count(name) over date by name 

should give a line graph with lines for names and count as Y Axis and Date as the X-axis

mrfredman
Path Finder

That did the trick. Thanks!

This creates a new problem were all but the top 11 names get lumped into an Other category, but this certainly answers my initial question.

0 Karma

ramdaspr
Contributor
 chart count(name) over date by name useother=f

to force all series to be shown.

0 Karma

ramdaspr
Contributor

Can you add a sample of your input data and what the output should look like so that we get a better idea what you are trying to achieve.

0 Karma

mrfredman
Path Finder

I can't go into too much detail, but I'll do my best.

My input contains 3 columns: id, name, and created date.

The output I'm looking for is: a row for each month of the year, with a column name, and a count of ids per name/month.

Sort of like this:

        Name Name2 Name3
Jan-14  1   0   3
Feb-14  2   4   4
Mar-14  0   0   1

(I've got all the time conversion and sorting figured out, I'm just having trouble sorting by both month and name (I can easily do one or the other but not both) so I figured if each name had a field I could just count those fields by month)

0 Karma

ramdaspr
Contributor
.. | stats count(name) by date, name | transpose
0 Karma

mrfredman
Path Finder

While that almost works, the end goal (which I haven't yet mentioned, apologies) is to chart this data in a line graph with a line for each name.

As far as I can tell, I can't do this unless I'm able to break out each name into it's own field and ensure there is only 1 row per date.

0 Karma

Raghav2384
Motivator

chart count over Name by month?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...