Splunk Search

How do I sum the counts of all the similar values in a field to show as a single item?

praneethkodali
Explorer

Below search command is giving the results as below

source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"| top limit=20 "Lost Detail"

alt text

How do I sum all the %duplicate% values in the field Lost Detail and show it as a single value?For example, I would like to show the results for Duplicate, duplicate, duplicate opportunity, Duplicate Opp in below table as one value with the sum of its count.

0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

The essence here is using eval to match on case insensitive duplicate:

| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')

In the case that the regular expression (?i)duplicate.* is matched to the value of the field Lost Detail, return "duplicate" as the value, otherwise, just return return the value of Lost Detail (single quotes are crucial!).

 source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')
| top limit=20 "Lost Detail"

View solution in original post

aljohnson_splun
Splunk Employee
Splunk Employee

The essence here is using eval to match on case insensitive duplicate:

| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')

In the case that the regular expression (?i)duplicate.* is matched to the value of the field Lost Detail, return "duplicate" as the value, otherwise, just return return the value of Lost Detail (single quotes are crucial!).

 source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')
| top limit=20 "Lost Detail"

praneethkodali
Explorer

thank you johnson. Above eval function is giving me "Error in 'eval' command: The arguments to the 'case' function are invalid". I tried adding closing brace to case function ? Did i miss anything with respect to the syntax. I apologize for asking the basic question

source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
 | eval "Lost Detail" = case(match("Lost Detail", "(?i)duplicate.*"), "duplicate", "Lost Detail"**)**
 | top limit=20 "Lost Detail"
0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Sorry ! It should've been if, not case.

Case takes pairs of arguments e.g. case(X, Y, X, Y,...) where each x is a boolean and y is the returned value if x is true.

If however takes 3 arguments, e.g. if(X,Y,Z), where x is boolean - if true, return y, else, return z.

Was also missing a ending parens. My bad.

@praneethkodali
@sundareshr

0 Karma

praneethkodali
Explorer

thank you, it worked. I used single quotes for the 'Lost Detail' field in match and if functions from your answer.

aljohnson_splun
Splunk Employee
Splunk Employee

Haha I missed those too ! I will update the answer for future people but sorry for my sloppiness. Glad you got it working.

0 Karma

sundareshr
Legend

Try removing the space in your field name eg. "Lost Detail" s/b Lost_Detail See if that helps. You can always add the space back with a replace commande

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...