Solved: Combine two fields values in 1 value

NewMilenium · ‎09-24-2013

Hello,
I searched for hours without any working result, sorry.
Somes searches I'm running give out results, with a field named "service" with some results, and two of those results are "HTTP" and "http". I must do something them so that they are both "HTTP", the same value.
One of the searches, for example, is of that form :

index="nnn" service="*" | stats count(service) by service | sort 10 -num(count(service))

Some of the results it can return are like that :

    service     count(service)
1   HTTP        492234
2   http        219422
3   SNMP        188368
4   DNS         152919

Can anyone help me, please? Thanks a lot for any clue!

rturk · ‎09-24-2013

Hi NewMillenium,

Try the following:

index="nnn" service="*" 
| eval service=upper(service) 
| stats count(service) AS count BY service 
| sort -count

Let me know how you go 🙂

References:

Splunk Docs: http://docs.splunk.com/Documentation/Splunk/5.0.5/SearchReference/CommonEvalFunctions

View solution in original post

rturk · ‎09-24-2013

Hi NewMillenium,

Try the following:

index="nnn" service="*" 
| eval service=upper(service) 
| stats count(service) AS count BY service 
| sort -count

Let me know how you go 🙂

References:

Splunk Docs: http://docs.splunk.com/Documentation/Splunk/5.0.5/SearchReference/CommonEvalFunctions

rturk · ‎09-24-2013

Yep, that's exactly it 🙂 Happy Splunking!

NewMilenium · ‎09-24-2013

Oh, it works!
If I get it right: this is permitting to change ALL services into their uppercase writing, and so resolving my problems, and you're just having "count(service)" as "count" so you don't have to rewrite "count(service)" in the sort...?

Thanks a lot for your help!!
(one "L" only to my nickname - no offense, I say it to absolutely everybody 😛 )

Combine two fields values in 1 value

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!