Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combine two fields values in 1 value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I searched for hours without any working result, sorry.
Somes searches I'm running give out results, with a field named "service" with some results, and two of those results are "HTTP" and "http". I must do something them so that they are both "HTTP", the same value.
One of the searches, for example, is of that form :
index="nnn" service="*" | stats count(service) by service | sort 10 -num(count(service))
Some of the results it can return are like that :
service count(service)
1 HTTP 492234
2 http 219422
3 SNMP 188368
4 DNS 152919
Can anyone help me, please? Thanks a lot for any clue!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi NewMillenium,
Try the following:
index="nnn" service="*"
| eval service=upper(service)
| stats count(service) AS count BY service
| sort -count
Let me know how you go 🙂
References:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi NewMillenium,
Try the following:
index="nnn" service="*"
| eval service=upper(service)
| stats count(service) AS count BY service
| sort -count
Let me know how you go 🙂
References:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, that's exactly it 🙂 Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, it works!
If I get it right: this is permitting to change ALL services into their uppercase writing, and so resolving my problems, and you're just having "count(service)" as "count" so you don't have to rewrite "count(service)" in the sort...?
Thanks a lot for your help!!
(one "L" only to my nickname - no offense, I say it to absolutely everybody 😛 )
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
