Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I group one field's values by another field?

HattrickNZ
Motivator
‎02-03-2016 03:12 PM

I have a search ...|table measInfoId that gives output in 1 column with the values
e.g.

measInfoId
1x
2x
3x
...

I have the same search, but slightly different different ...| table c* gives output with the values in many columns
e.g.

c1x c2x c3x ...

What I am trying to to is get something like this (group the c1x's by the 1x's):

measInfoId  c*
 1x         c1x
 2x         c2x
            c3x
 3x         c4x
            c5x
...

I think this has something to do with the way the data is imported (the c is prefixed in front of the values c1x), which is why I am getting the difference. But given these conditions, can I achieve what I want? I may have to add more details to get this question answered as I try and solve this answer.

Tags (3)
0 Karma
Reply

HattrickNZ
Motivator
‎02-04-2016 11:26 AM

I will try to explain by example
If i do ...| chart list(measInfoId) by c* this says no results found

If I do ...| chart list(measInfoId) by c1907466990,just looking at 1 specific c* value, I get the below: 

c1907466990 list(measInfoId)
1   0           1907425342
                1907425342
                1907425342
                1907425342
                1907425342
2   1           1907425342
                1907425342
                1907425342
                1907425342
    ...
98  104         1907425342
99  105         1907425342
                1907425342
                        1907425342
100 106         1907425342

If i do ...| chart list(measInfoId) by measObj* this says no results found, the wild card does not seem to work, it seems I have to specify the whole name. UI will see if this might be a rights issue.

If I do ...| chart list(measInfoId) by measObjLdn,specify the whole measObjLdn name, I get the below, which is what i am originally trying to achieve: 

    measObjLdn  list(measInfoId)
1   object1     1907425301
                1907425280
                1907425335
                1907425301
                1907425280
                1907425335
                1907425301
2   object2     1907443286
                1907443286
                1907443286
                1907443286
                1907443286
...
100 object100   1907425341
                1907425341
                1907425341
                1907425341
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...