Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I sum the counts of all the similar values in a field to show as a single item?

praneethkodali
Explorer
‎11-11-2015 01:23 PM

Below search command is giving the results as below

source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"| top limit=20 "Lost Detail"

alt text

How do I sum all the %duplicate% values in the field Lost Detail and show it as a single value?For example, I would like to show the results for Duplicate, duplicate, duplicate opportunity, Duplicate Opp in below table as one value with the sum of its count.

Preview file
18 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-11-2015 01:38 PM

The essence here is using eval to match on case insensitive duplicate:

| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')

In the case that the regular expression (?i)duplicate.* is matched to the value of the field Lost Detail, return "duplicate" as the value, otherwise, just return return the value of Lost Detail (single quotes are crucial!).

 source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')
| top limit=20 "Lost Detail"

View solution in original post

Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-11-2015 01:38 PM

The essence here is using eval to match on case insensitive duplicate:

| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')

In the case that the regular expression (?i)duplicate.* is matched to the value of the field Lost Detail, return "duplicate" as the value, otherwise, just return return the value of Lost Detail (single quotes are crucial!).

 source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')
| top limit=20 "Lost Detail"
Reply
Solved! Jump to solution

praneethkodali
Explorer
‎11-11-2015 04:08 PM

thank you johnson. Above eval function is giving me "Error in 'eval' command: The arguments to the 'case' function are invalid". I tried adding closing brace to case function ? Did i miss anything with respect to the syntax. I apologize for asking the basic question

source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
 | eval "Lost Detail" = case(match("Lost Detail", "(?i)duplicate.*"), "duplicate", "Lost Detail"**)**
 | top limit=20 "Lost Detail"
0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-12-2015 12:41 PM

Sorry ! It should've been if, not case.

Case takes pairs of arguments e.g. case(X, Y, X, Y,...) where each x is a boolean and y is the returned value if x is true.

If however takes 3 arguments, e.g. if(X,Y,Z), where x is boolean - if true, return y, else, return z.

Was also missing a ending parens. My bad.

@praneethkodali
@sundareshr

0 Karma
Reply
Solved! Jump to solution

praneethkodali
Explorer
‎11-12-2015 08:54 PM

thank you, it worked. I used single quotes for the 'Lost Detail' field in match and if functions from your answer.

Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-13-2015 10:15 AM

Haha I missed those too ! I will update the answer for future people but sorry for my sloppiness. Glad you got it working.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-11-2015 04:57 PM

Try removing the space in your field name eg. "Lost Detail" s/b Lost_Detail See if that helps. You can always add the space back with a replace commande

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...