Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I sum the counts of all the similar values in a field to show as a single item?

praneethkodali
Explorer
‎11-11-2015 01:23 PM

Below search command is giving the results as below

source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"| top limit=20 "Lost Detail"

alt text

How do I sum all the %duplicate% values in the field Lost Detail and show it as a single value?For example, I would like to show the results for Duplicate, duplicate, duplicate opportunity, Duplicate Opp in below table as one value with the sum of its count.

Preview file
18 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-11-2015 01:38 PM

The essence here is using eval to match on case insensitive duplicate:

| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')

In the case that the regular expression (?i)duplicate.* is matched to the value of the field Lost Detail, return "duplicate" as the value, otherwise, just return return the value of Lost Detail (single quotes are crucial!).

 source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')
| top limit=20 "Lost Detail"

View solution in original post

Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-11-2015 01:38 PM

The essence here is using eval to match on case insensitive duplicate:

| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')

In the case that the regular expression (?i)duplicate.* is matched to the value of the field Lost Detail, return "duplicate" as the value, otherwise, just return return the value of Lost Detail (single quotes are crucial!).

 source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')
| top limit=20 "Lost Detail"
Reply
Solved! Jump to solution

praneethkodali
Explorer
‎11-11-2015 04:08 PM

thank you johnson. Above eval function is giving me "Error in 'eval' command: The arguments to the 'case' function are invalid". I tried adding closing brace to case function ? Did i miss anything with respect to the syntax. I apologize for asking the basic question

source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
 | eval "Lost Detail" = case(match("Lost Detail", "(?i)duplicate.*"), "duplicate", "Lost Detail"**)**
 | top limit=20 "Lost Detail"
0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-12-2015 12:41 PM

Sorry ! It should've been if, not case.

Case takes pairs of arguments e.g. case(X, Y, X, Y,...) where each x is a boolean and y is the returned value if x is true.

If however takes 3 arguments, e.g. if(X,Y,Z), where x is boolean - if true, return y, else, return z.

Was also missing a ending parens. My bad.

@praneethkodali
@sundareshr

0 Karma
Reply
Solved! Jump to solution

praneethkodali
Explorer
‎11-12-2015 08:54 PM

thank you, it worked. I used single quotes for the 'Lost Detail' field in match and if functions from your answer.

Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-13-2015 10:15 AM

Haha I missed those too ! I will update the answer for future people but sorry for my sloppiness. Glad you got it working.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-11-2015 04:57 PM

Try removing the space in your field name eg. "Lost Detail" s/b Lost_Detail See if that helps. You can always add the space back with a replace commande

0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened Audit Trail v2 wasn’t written in isolation—it was shaped by your voices. In ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...