Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I compare values within 1 field and group them

skyblue123
Engager
‎02-23-2022 11:02 PM

Hi,

I'm new to Splunk and I was trying to compare values in the same field and group them subsequently.

The events had client transaction id, pp_account_number, corrid different so had to remove them and compare and group. I used | stats group by and it didn't get me the results.  There were results that looked same but were not grouped together. Below is my query. I went on to remove spaces so that it will group better but didn't work as well . 

 

(index=pp_cal_live_logs_failure_services OR index=pp_cal_live_logs_success_sampling OR index=pp_cal_live_logs_allowlist)(machineColo="*") source IN ("riskexternalgateway")
| eval corrId=corr_id
| fields "corrId" , "calName" , "calMessage"
| where (match(calName,"Monitor_Vendor_Service_Call") AND match(calMessage,"usecase_name=US_CIPACHFunding&VReq[a-z]*"))
| eval calMessage= replace(calMessage, " ", "")
| eval calMessage = replace(calMessage, "<client_transaction_id>.*</client_transaction_id>" ," ")
| eval calMessage = replace(calMessage, "<pp_account_number>.*</pp_account_number>" ," ")
| eval calMessage = replace(calMessage, "corr_id_=.*" ,"")
| stats by calMessage 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-23-2022 11:14 PM

Hi @skyblue123,

please try this:

(index=pp_cal_live_logs_failure_services OR index=pp_cal_live_logs_success_sampling OR index=pp_cal_live_logs_allowlist)(machineColo="*") source IN ("riskexternalgateway")
| rename corr_id AS corrId
| eval 
 status_calName=if(match(calName,"Monitor_Vendor_Service_Call"),"yes","not"), 
 status_calMessage=if(match(calMessage,"usecase_name=US_CIPACHFunding&VReq[a-z]*"),"yes","not")
| where status_calName="yes AND status_calMessage="yes"
| eval calMessage= replace(calMessage, " ", "")
| eval calMessage = replace(calMessage, "<client_transaction_id>.*</client_transaction_id>" ," ")
| eval calMessage = replace(calMessage, "<pp_account_number>.*</pp_account_number>" ," ")
| eval calMessage = replace(calMessage, "corr_id_=.*" ,"")
| stats by calMessage

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

skyblue123
Engager
‎02-24-2022 01:16 AM

Hi, I have found the solution. can you help to delete my post? thank you

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-24-2022 01:21 AM

Hi @skyblue123,

please, don't delete your post, it could be useful for other people.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-23-2022 11:14 PM

Hi @skyblue123,

please try this:

(index=pp_cal_live_logs_failure_services OR index=pp_cal_live_logs_success_sampling OR index=pp_cal_live_logs_allowlist)(machineColo="*") source IN ("riskexternalgateway")
| rename corr_id AS corrId
| eval 
 status_calName=if(match(calName,"Monitor_Vendor_Service_Call"),"yes","not"), 
 status_calMessage=if(match(calMessage,"usecase_name=US_CIPACHFunding&VReq[a-z]*"),"yes","not")
| where status_calName="yes AND status_calMessage="yes"
| eval calMessage= replace(calMessage, " ", "")
| eval calMessage = replace(calMessage, "<client_transaction_id>.*</client_transaction_id>" ," ")
| eval calMessage = replace(calMessage, "<pp_account_number>.*</pp_account_number>" ," ")
| eval calMessage = replace(calMessage, "corr_id_=.*" ,"")
| stats by calMessage

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

skyblue123
Engager
‎02-23-2022 11:20 PM

tried the above. but there were still duplicates that can be grouped together but were not.

this is how a calMessage field looks like: 

Screenshot 2022-02-24 at 3.17.49 PM.png

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...