Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I pair two fields that came from the same event?

samsam48
Explorer
‎09-19-2018 07:36 AM

I have a handful of fields that I've extracted from the raw event data using the rex function. Now that I have these fields, I've applied some stat grouping and counting to them, but I'm unable to properly display additional fields without grouping on them.

The stats line looks like this: | stats values(problem) AS prob count by problemType problemLocation . That line produces a table that holds a problemType in the first column, the problem location in the second column, and a list of unique problems that are of that problemType and were caused at that problemLocation in a third column, given by the values function.

Each event only has 1 value for prob in this third column, and also only 1 value for another field X. I'm now trying to display, in a fourth column, values of this X field that match up in the same row with the displayed prob values in the third column without having to group everything else by them.

Any help would be appreciated.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎09-19-2018 10:55 AM

Give this a try

your current search with fields problemType promblemLocation problem x
| eval problem=problem."##".x
| stats count by problemType promblemLocation problem
| table problemType promblemLocation problem
| rex field=problem "(?<problem>.+)##(?<x>.+)"
| stats list(problem) as problem list(x) as x by problemType problemLocation
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2018 08:21 AM

Does | stats values(problem) AS prob values(x) as x count by problemType problemLocation not give the desired results?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

samsam48
Explorer
‎09-19-2018 10:37 AM

@richgalloway the displays the values of the X column, but it doesn't align those values with the values shown in prob. This is to say that if there are 3 values shown in the probcolumn, then the adjacent column should display the 3 corresponding x values. This should be possible because each event has only one prob value and only one x value.

I also apply | eval prob=mvindex(prob, 0, 4) at the end to cut the output to only 5 values, although this is a slightly different situation.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...