Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I pair two fields that came from the same event?

samsam48
Explorer
‎09-19-2018 07:36 AM

I have a handful of fields that I've extracted from the raw event data using the rex function. Now that I have these fields, I've applied some stat grouping and counting to them, but I'm unable to properly display additional fields without grouping on them.

The stats line looks like this: | stats values(problem) AS prob count by problemType problemLocation . That line produces a table that holds a problemType in the first column, the problem location in the second column, and a list of unique problems that are of that problemType and were caused at that problemLocation in a third column, given by the values function.

Each event only has 1 value for prob in this third column, and also only 1 value for another field X. I'm now trying to display, in a fourth column, values of this X field that match up in the same row with the displayed prob values in the third column without having to group everything else by them.

Any help would be appreciated.

0 Karma
Reply

somesoni2
Revered Legend
‎09-19-2018 10:55 AM

Give this a try

your current search with fields problemType promblemLocation problem x
| eval problem=problem."##".x
| stats count by problemType promblemLocation problem
| table problemType promblemLocation problem
| rex field=problem "(?<problem>.+)##(?<x>.+)"
| stats list(problem) as problem list(x) as x by problemType problemLocation
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2018 08:21 AM

Does | stats values(problem) AS prob values(x) as x count by problemType problemLocation not give the desired results?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

samsam48
Explorer
‎09-19-2018 10:37 AM

@richgalloway the displays the values of the X column, but it doesn't align those values with the values shown in prob. This is to say that if there are 3 values shown in the probcolumn, then the adjacent column should display the 3 corresponding x values. This should be possible because each event has only one prob value and only one x value.

I also apply | eval prob=mvindex(prob, 0, 4) at the end to cut the output to only 5 values, although this is a slightly different situation.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...