Splunk Search

How do I pair two fields that came from the same event?

samsam48
Explorer

I have a handful of fields that I've extracted from the raw event data using the rex function. Now that I have these fields, I've applied some stat grouping and counting to them, but I'm unable to properly display additional fields without grouping on them.

The stats line looks like this: | stats values(problem) AS prob count by problemType problemLocation . That line produces a table that holds a problemType in the first column, the problem location in the second column, and a list of unique problems that are of that problemType and were caused at that problemLocation in a third column, given by the values function.

Each event only has 1 value for prob in this third column, and also only 1 value for another field X. I'm now trying to display, in a fourth column, values of this X field that match up in the same row with the displayed prob values in the third column without having to group everything else by them.

Any help would be appreciated.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your current search with fields problemType promblemLocation problem x
| eval problem=problem."##".x
| stats count by problemType promblemLocation problem
| table problemType promblemLocation problem
| rex field=problem "(?<problem>.+)##(?<x>.+)"
| stats list(problem) as problem list(x) as x by problemType problemLocation

richgalloway
SplunkTrust
SplunkTrust

Does | stats values(problem) AS prob values(x) as x count by problemType problemLocation not give the desired results?

---
If this reply helps you, Karma would be appreciated.
0 Karma

samsam48
Explorer

@richgalloway the displays the values of the X column, but it doesn't align those values with the values shown in prob. This is to say that if there are 3 values shown in the probcolumn, then the adjacent column should display the 3 corresponding x values. This should be possible because each event has only one prob value and only one x value.

I also apply | eval prob=mvindex(prob, 0, 4) at the end to cut the output to only 5 values, although this is a slightly different situation.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...