Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Grouping the messages based on 2 fields in splunk?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Grouping the messages based on 2 fields in splunk?
I have below events/messages in my search result. There are 2 fields stack_trace and TYPE like below. I want to group the events and count them as shown below based on a particular text from stack_trace and TYPE field as below. Is it possible to group the messages based on 2 fields (TYPE,stack_trace)? I am using below query but I am stuck as to how to group by 2 fields.
Event 1
{
TYPE: ABCD
stack_trace : com.abc.xyz.package.ExceptionName: Missing A.
at random.package.w(DummyFile1:45)
at random.package.x(DummyFile2:64)
at random.package.y(DummyFile3:79)
}
Event 2
{
TYPE: XYZ
stack_trace : com.abc.xyz.package.ExceptionName: Missing B.
at random.package.w(DummyFile1:45)
at random.package.x(DummyFile2:64)
at random.package.y(DummyFile3:79)
}
Expected Output
TYPE Exception Count
ABCD Missing A 3
ABCD Missing B 4
XYZ Missing A 6
XYZ Missing B 1
Query I am using but incomplete
BASE_SEARCH
| rex field= _raw "Exception: (?<Exception>[^\.\<]+)"
| stats count as Count by "Exception"
Actual Output
Exception Count
Missing A 3
Missing B 4
Missing c 6
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ghostrider,
yes you can use more than one field in the stats command, so you could use:
BASE_SEARCH
| rex field= _raw "Exception: (?<Exception>[^\.\<]+)"
| stats count as Count by TYPE "Exception"You have to put attention only to one thing: using two fields in the stats command you take only the events with both the fields, in other words, if one event has the TYPE field but not the TYPE field or opposite, the event isn't counted.
So you have to analyze your data to be sure that all the relevant events have both the fields.
If one of them could be missing, use fillnull command to assign a value (e.g. "-") when the value is missing.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!! I just ran the query, and it looks like it shows "null" in the final output when the TYPE fields is not present but stack_trace is present. Is it possible to replace the null with some string like "N/A" so that it looks cleaner.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ghostrider,
as I said, you can use the fillnull command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull)
BASE_SEARCH
| rex field= _raw "Exception: (?<Exception>[^\.\<]+)"
| fillnull value="N/A" TYPE
| stats count as Count by TYPE "Exception"Ciao.
Giuseppe
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
