Splunk Search
Highlighted

How do I create a faceted, multi-filter search with counting over multiple fields?

New Member

I'm writing a generic search layer that allows our users to have drilldown, faceted search experience. This means that for a given set of search results, I want to see the distribution of existing values for a set of given fields, with a count of matches. This will allow the user to select one of those values and run a second search, narrowing down the results.

It seems easy enough to do it for one result field, using stats count or chart count. The problem is that counting over multiple fields results in a narrow AND count, rather than a separate count for each different field.

I've tried implementing this with subsearches - search host="test" | chart count by field1 | append [search host="test" | chart count by field2] but this requires me to pass the search filters ( ( host="test") for every internal subsearch, in essence running the search n times instead of just getting stats on a single set of search results. It might be more efficient than running n searches from my code, but it still seems wasteful.

So, is there a way to achieve this without running multiple searches? It would be even better if I can get the search results alongside the search stats in a single hit.

0 Karma
Highlighted

Re: How do I create a faceted, multi-filter search with counting over multiple fields?

Explorer
0 Karma