Displaying several fields, some with aggregate dat...

razlani · ‎03-12-2015

Hi all - new here but the answers I've seen so far on stats (ie http://answers.splunk.com/answers/106497/add-a-new-count-field-to-a-table.html) do a group on several fields when one wishes to display several fields in a table (for example).

My question is this: When wishing to display several fields (either ones created yourself or the ones already recognized by splunk), do you use a table, eval or stats to display them?

Eg.: Splunk recognizes all the following fields: uri_path, referer_domain, urlslug, lang.

How can I say "for a given index, count the top uri_path info but display the rest of the recognized fields in the output table".

Something like index="jellyfish" | top showperc=false limit=10 uri_path, referer_domain, urlslug, lang

But I don't wish it to group/aggregate by any field other than the uri_path one. So: "display the other fields if they exist, if not just place a blank value, but don't impact my counting top uri_path data"

Do you guys typically use eval only for custom fields? Or table/chart perhaps for what I'm after?

Thanks for helping this newbie!

razlani · ‎03-12-2015

This seems to have done the trick but I appreciate any suggestions for improvements etc:

index="ss" | stats count(uri_path) as Amount, values(referer_domain) as RefererDomain, values(urlslug) as UrlSlug, values(lang) as Lang by uri_path | sort - Amount

Top was not the way to go it seems - or if it was I couldn't get it to work.

somesoni2 · ‎03-12-2015

Give this a try

Something like index="jellyfish" | eval uri_path=uri_path."##".coalesce(referer_domain,"")."##".coalesce(urlslug,"")."##".coalesce(lang,"") | top showperc=false limit=10 uri_path | rex field=uri_path "(?<uri_path>.*)##(?<referer_domain>.*)##(?<urlslug>.*)##(?<lang>.*)"

razlani · ‎03-12-2015

Upon further testing I've discovered that the "top" statement is somehow preventing the other fields from populating data.

With top: http://i.imgur.com/Jfs5lM3.png

Without Top: http://i.imgur.com/c2qeAo9.png

razlani · ‎03-12-2015

I've made my comment into a post as I was unsure how alerts are made via comments:

Thank you but two problems:

It's not actually populating data as per the 'interesting fields' list of fields on the events page. For instance, in the table, everything is empty except uri_path (and I've checked the event independently and it contains data in those fields and lists them as default in the 'interesting fields' section) .
it may sort by the 'top' values but it doesn't actually contain the number in a separate column (which is desirable). I did a stats count by and it just added those words as fields in the table.

Please help!

richgalloway · ‎03-12-2015

Eval and stats calculate values and create fields. One can display fields using table, chart, and timechart (among others). Your task can be achieved with something like:

index="jellyfish" | top showperc=false limit=10 uri_path | table uri_path, referer_domain, urlslug, lang

---
If this reply helps you, Karma would be appreciated.

razlani · ‎03-12-2015

Thank you but two problems:

It's not actually populating data as per the 'interesting fields' list of fields on the events page. For instance, in the table, everything is empty except uri_path (and I've checked the event independently and it contains data in those fields and lists them as default in the 'interesting fields' section) .
it may sort by the 'top' values but it doesn't actually contain the number in a separate column (which is desirable). I did a stats count by and it just added those words as fields in the table.

Please help!

Displaying several fields, some with aggregate data

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector