Splunk Search
Highlighted

Grouping similar

Path Finder

HI All,

Im have a search and its working great for calculating averages based on the domain, the problem is that I would like to group the google.com's together. I thought I could do it with the eval command but it doesnt seem to be working for me

search
index=collaboration tag::host=inbound [search index=collaboration tag::host=inbound mailsender=emailaddress@umich.edu | fields simtaid] | transaction simtaid | stats avg(duration) as "Average Duration" by domain_name

output looks like this

adsroot.itcs.umich.edu  31.538462
med.umich.edu   35.000000
mail-ig0-f173.google.com    61.000000
mail-ig0-f175.google.com    36.000000
mail-oi0-f47.google.com 36.000000
mail-qa0-f44.google.com 36.000000
mail-vc0-f178.google.com    36.000000
mail-wg0-f49.google.com 36.000000
mail-wi0-f178.google.com    37.000000
mail-yh0-f51.google.com 34.000000
mail-yk0-f170.google.com    36.000000

thanks all

Tags (1)
0 Karma
Highlighted

Re: Grouping similar

SplunkTrust
SplunkTrust

Will there be other domains like "google.com" which may appear multiple time? Also, the first two entries in your output, should they be also clubbed into one? (they both are from umich.edu domain)

0 Karma
Highlighted

Re: Grouping similar

Path Finder

Hi,

Sorry about that only the Google ones should be groups the umich ones are fine separate

0 Karma
Highlighted

Re: Grouping similar

Influencer

By "group the google.com's" together, do you mean you want 1 average for all *.google.com domainnames ? Do you want the umich.edu domainnames grouped as well?

0 Karma
Highlighted

Re: Grouping similar

Path Finder

Hi,

Sorry about that only the Google ones should be groups the umich ones are fine separate

0 Karma
Highlighted

Re: Grouping similar

Builder

If the full hostname does not matter for google.com you could do something like the following to reassign just google.com:

index=collaboration tag::host=inbound [search index=collaboration tag::host=inbound mailsender=emailaddress@umich.edu | fields simtaid] | transaction simtaid |eval domainname=if(match(domainname,".*google.com"),"google.com",domainname)| stats avg(duration) as "Average Duration" by domainname

Highlighted

Re: Grouping similar

SplunkTrust
SplunkTrust

Another alternative

index=collaboration tag::host=inbound [search index=collaboration tag::host=inbound mail_sender=email_address@umich.edu | fields simta_id] | transaction simta_id | replace *.google.com with google.com in domain_name| stats avg(duration) as "Average Duration" by domain_name