Splunk Search

Displaying several fields, some with aggregate data

razlani
Explorer

Hi all - new here but the answers I've seen so far on stats (ie http://answers.splunk.com/answers/106497/add-a-new-count-field-to-a-table.html) do a group on several fields when one wishes to display several fields in a table (for example).

My question is this: When wishing to display several fields (either ones created yourself or the ones already recognized by splunk), do you use a table, eval or stats to display them?

Eg.: Splunk recognizes all the following fields: uri_path, referer_domain, urlslug, lang.

How can I say "for a given index, count the top uri_path info but display the rest of the recognized fields in the output table".

Something like index="jellyfish" | top showperc=false limit=10 uri_path, referer_domain, urlslug, lang

But I don't wish it to group/aggregate by any field other than the uri_path one. So: "display the other fields if they exist, if not just place a blank value, but don't impact my counting top uri_path data"

Do you guys typically use eval only for custom fields? Or table/chart perhaps for what I'm after?

Thanks for helping this newbie!

Tags (5)
0 Karma

razlani
Explorer

This seems to have done the trick but I appreciate any suggestions for improvements etc:

index="ss" | stats count(uri_path) as Amount, values(referer_domain) as RefererDomain, values(urlslug) as UrlSlug, values(lang) as Lang by uri_path | sort - Amount

Top was not the way to go it seems - or if it was I couldn't get it to work.

somesoni2
Revered Legend

Give this a try

Something like index="jellyfish" | eval uri_path=uri_path."##".coalesce(referer_domain,"")."##".coalesce(urlslug,"")."##".coalesce(lang,"") | top showperc=false limit=10 uri_path | rex field=uri_path "(?<uri_path>.*)##(?<referer_domain>.*)##(?<urlslug>.*)##(?<lang>.*)"
0 Karma

razlani
Explorer

Upon further testing I've discovered that the "top" statement is somehow preventing the other fields from populating data.

With top: http://i.imgur.com/Jfs5lM3.png

Without Top: http://i.imgur.com/c2qeAo9.png

0 Karma

razlani
Explorer

I've made my comment into a post as I was unsure how alerts are made via comments:

Thank you but two problems:

  1. It's not actually populating data as per the 'interesting fields' list of fields on the events page. For instance, in the table, everything is empty except uri_path (and I've checked the event independently and it contains data in those fields and lists them as default in the 'interesting fields' section) .

  2. it may sort by the 'top' values but it doesn't actually contain the number in a separate column (which is desirable). I did a stats count by and it just added those words as fields in the table.

Please help!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Eval and stats calculate values and create fields. One can display fields using table, chart, and timechart (among others). Your task can be achieved with something like:

index="jellyfish" | top showperc=false limit=10 uri_path | table uri_path, referer_domain, urlslug, lang
---
If this reply helps you, Karma would be appreciated.
0 Karma

razlani
Explorer

Thank you but two problems:

  1. It's not actually populating data as per the 'interesting fields' list of fields on the events page. For instance, in the table, everything is empty except uri_path (and I've checked the event independently and it contains data in those fields and lists them as default in the 'interesting fields' section) .
  2. it may sort by the 'top' values but it doesn't actually contain the number in a separate column (which is desirable). I did a stats count by and it just added those words as fields in the table.

Please help!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...