Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Group results by a keyword in a particular field

bushrangerjones
New Member
‎09-29-2015 11:07 PM

Hi,

I am trying to group (bring together) the results by a keyword in a certain field. For example, I want to group all of the URLs that include "Hightail". As you can see from the screenshot I have several Hightail URLs. I want to group them all together, and turn the results in to a dashboard. Would this be possible?

alt text

Current query:

index=proxy sourcetype=bluecoat cs_categories="*File Storage*" cs_username!="-" cs_method!="unknown" cs_host="*hightail*" | stats sum(cs_bytes) AS bytes_uploaded sum(sc_bytes) AS bytes_downloaded by cs_username cs_host sc_filter_result | eval megabytes_down=bytes_downloaded/1024/1024 | eval megabytes_up=bytes_uploaded/1024/1024 | rename cs_username as "User",cs_host as "Cloud storage URL", sc_filter_result AS "Result", megabytes_up as "Downloaded (MB)", megabytes_down as "Uploaded (MB)"| ......... replace OBSERVED with ALLOWED in Result | sort by -"Downloaded (MB)" | table User, displayName, department, Result, "Cloud storage URL", "Downloaded (MB)", "Uploaded (MB)"

Thank you

Preview file
261 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-30-2015 09:22 AM

Try this

index=proxy sourcetype=bluecoat cs_categories="*File Storage*" cs_username!="-" cs_method!="unknown" cs_host="*hightail*" | stats sum(cs_bytes) AS bytes_uploaded sum(sc_bytes) AS bytes_downloaded by cs_username cs_host sc_filter_result  | eval cs_host=if(match(cs_host,".*\.hightail\.com"),"XXX.hightails.com",cs_host) | stats sum(*) as * by cs_username cs_host sc_filter_result | eval megabytes_down=bytes_downloaded/1024/1024 | eval megabytes_up=bytes_uploaded/1024/1024 | rename cs_username as "User",cs_host as "Cloud storage URL", sc_filter_result AS "Result", megabytes_up as "Downloaded (MB)", megabytes_down as "Uploaded (MB)"| ......... replace OBSERVED with ALLOWED in Result | sort by -"Downloaded (MB)" | table User, displayName, department, Result, "Cloud storage URL", "Downloaded (MB)", "Uploaded (MB)"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-30-2015 09:22 AM

Try this

index=proxy sourcetype=bluecoat cs_categories="*File Storage*" cs_username!="-" cs_method!="unknown" cs_host="*hightail*" | stats sum(cs_bytes) AS bytes_uploaded sum(sc_bytes) AS bytes_downloaded by cs_username cs_host sc_filter_result  | eval cs_host=if(match(cs_host,".*\.hightail\.com"),"XXX.hightails.com",cs_host) | stats sum(*) as * by cs_username cs_host sc_filter_result | eval megabytes_down=bytes_downloaded/1024/1024 | eval megabytes_up=bytes_uploaded/1024/1024 | rename cs_username as "User",cs_host as "Cloud storage URL", sc_filter_result AS "Result", megabytes_up as "Downloaded (MB)", megabytes_down as "Uploaded (MB)"| ......... replace OBSERVED with ALLOWED in Result | sort by -"Downloaded (MB)" | table User, displayName, department, Result, "Cloud storage URL", "Downloaded (MB)", "Uploaded (MB)"
Reply
Solved! Jump to solution

bushrangerjones
New Member
‎10-01-2015 06:12 PM

Thanks for that! It works, however it is not picking up URLS like this one - storage.us1.hightail.com. As that URL is made up of 4 parts and not 3 I suppose?

0 Karma
Reply
Solved! Jump to solution

bushrangerjones
New Member
‎10-01-2015 09:38 PM

I just added this line:

eval cs_host=if(match(cs_host,".*\.au1\.hightail\.com"), "XXX.hightail.com",cs_host)

Seem to have done the job! Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...