Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Help grouping results best command to use
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm pretty new to Splunk and trying to wrap my head around how to pull data out of Splunk and display it. I have a search which pulls out all the correct events. Now, I am trying to figure out how to display/group the results so it makes sense and is easy to go through.
Trying to have the output display something like what is shown below:
ID ID_Number UserName Status
00987 98377 username
087442 username
087442 username
username deleted
00990 077841 username
077841 username
077841 username
username deleted
When I group by ID then I only 1 result. If I try to group by ID_Number then the results look close to the above but they aren't broken down/arranged by each unique ID. I like to have all the results for the ID together and only display that ID once but at the same time show all the results for the remaining fields.
Here is what I tried which gets me close but doesn't group by ID
searchHere | stats values(username), values(status) by id_number
When I try to do it by ID it's when I only get 1 result
searchHere | stats values(id_number), values(username), values(status) by id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try:
searchHere | stats list(ID_Number) as ID_Number, list(UserName) as UserName by ID, Status
Or:
searchHere | stats list(ID_Number) as ID_Number, list(UserName) as UserName, list(Status) as Status by ID
Depending on whether you want to group by status or simply display the different values for it.
If you wanted only the distinct values status can have you can use values() instead of list() in the second query.
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, the second one did the trick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note that the field names are case sensitive - have you tried:
searchHere | stats values(UserName) values(Status) by ID_Number
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try:
searchHere | stats list(ID_Number) as ID_Number, list(UserName) as UserName by ID, Status
Or:
searchHere | stats list(ID_Number) as ID_Number, list(UserName) as UserName, list(Status) as Status by ID
Depending on whether you want to group by status or simply display the different values for it.
If you wanted only the distinct values status can have you can use values() instead of list() in the second query.
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wats the expected format
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
