Splunk Search

How do I pair two fields that came from the same event?

Explorer

I have a handful of fields that I've extracted from the raw event data using the rex function. Now that I have these fields, I've applied some stat grouping and counting to them, but I'm unable to properly display additional fields without grouping on them.

The stats line looks like this: | stats values(problem) AS prob count by problemType problemLocation . That line produces a table that holds a problemType in the first column, the problem location in the second column, and a list of unique problems that are of that problemType and were caused at that problemLocation in a third column, given by the values function.

Each event only has 1 value for prob in this third column, and also only 1 value for another field X. I'm now trying to display, in a fourth column, values of this X field that match up in the same row with the displayed prob values in the third column without having to group everything else by them.

Any help would be appreciated.

0 Karma

Revered Legend

Give this a try

your current search with fields problemType promblemLocation problem x
| eval problem=problem."##".x
| stats count by problemType promblemLocation problem
| table problemType promblemLocation problem
| rex field=problem "(?<problem>.+)##(?<x>.+)"
| stats list(problem) as problem list(x) as x by problemType problemLocation

SplunkTrust
SplunkTrust

Does | stats values(problem) AS prob values(x) as x count by problemType problemLocation not give the desired results?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

@richgalloway the displays the values of the X column, but it doesn't align those values with the values shown in prob. This is to say that if there are 3 values shown in the probcolumn, then the adjacent column should display the 3 corresponding x values. This should be possible because each event has only one prob value and only one x value.

I also apply | eval prob=mvindex(prob, 0, 4) at the end to cut the output to only 5 values, although this is a slightly different situation.

0 Karma