Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I compare values within 1 field and group them

skyblue123
Engager
‎02-23-2022 11:02 PM

Hi,

I'm new to Splunk and I was trying to compare values in the same field and group them subsequently.

The events had client transaction id, pp_account_number, corrid different so had to remove them and compare and group. I used | stats group by and it didn't get me the results.  There were results that looked same but were not grouped together. Below is my query. I went on to remove spaces so that it will group better but didn't work as well . 

 

(index=pp_cal_live_logs_failure_services OR index=pp_cal_live_logs_success_sampling OR index=pp_cal_live_logs_allowlist)(machineColo="*") source IN ("riskexternalgateway")
| eval corrId=corr_id
| fields "corrId" , "calName" , "calMessage"
| where (match(calName,"Monitor_Vendor_Service_Call") AND match(calMessage,"usecase_name=US_CIPACHFunding&VReq[a-z]*"))
| eval calMessage= replace(calMessage, " ", "")
| eval calMessage = replace(calMessage, "<client_transaction_id>.*</client_transaction_id>" ," ")
| eval calMessage = replace(calMessage, "<pp_account_number>.*</pp_account_number>" ," ")
| eval calMessage = replace(calMessage, "corr_id_=.*" ,"")
| stats by calMessage 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-23-2022 11:14 PM

Hi @skyblue123,

please try this:

(index=pp_cal_live_logs_failure_services OR index=pp_cal_live_logs_success_sampling OR index=pp_cal_live_logs_allowlist)(machineColo="*") source IN ("riskexternalgateway")
| rename corr_id AS corrId
| eval 
 status_calName=if(match(calName,"Monitor_Vendor_Service_Call"),"yes","not"), 
 status_calMessage=if(match(calMessage,"usecase_name=US_CIPACHFunding&VReq[a-z]*"),"yes","not")
| where status_calName="yes AND status_calMessage="yes"
| eval calMessage= replace(calMessage, " ", "")
| eval calMessage = replace(calMessage, "<client_transaction_id>.*</client_transaction_id>" ," ")
| eval calMessage = replace(calMessage, "<pp_account_number>.*</pp_account_number>" ," ")
| eval calMessage = replace(calMessage, "corr_id_=.*" ,"")
| stats by calMessage

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

skyblue123
Engager
‎02-24-2022 01:16 AM

Hi, I have found the solution. can you help to delete my post? thank you

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-24-2022 01:21 AM

Hi @skyblue123,

please, don't delete your post, it could be useful for other people.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-23-2022 11:14 PM

Hi @skyblue123,

please try this:

(index=pp_cal_live_logs_failure_services OR index=pp_cal_live_logs_success_sampling OR index=pp_cal_live_logs_allowlist)(machineColo="*") source IN ("riskexternalgateway")
| rename corr_id AS corrId
| eval 
 status_calName=if(match(calName,"Monitor_Vendor_Service_Call"),"yes","not"), 
 status_calMessage=if(match(calMessage,"usecase_name=US_CIPACHFunding&VReq[a-z]*"),"yes","not")
| where status_calName="yes AND status_calMessage="yes"
| eval calMessage= replace(calMessage, " ", "")
| eval calMessage = replace(calMessage, "<client_transaction_id>.*</client_transaction_id>" ," ")
| eval calMessage = replace(calMessage, "<pp_account_number>.*</pp_account_number>" ," ")
| eval calMessage = replace(calMessage, "corr_id_=.*" ,"")
| stats by calMessage

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

skyblue123
Engager
‎02-23-2022 11:20 PM

tried the above. but there were still duplicates that can be grouped together but were not.

this is how a calMessage field looks like: 

Screenshot 2022-02-24 at 3.17.49 PM.png

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...