Splunk Search

How do you order stats by multiple hierarchical fields

mbintz
Explorer

There are similar questions to this, but none are quite the same so I apologize for the overlap.

Suppose I have a set of data (events) that have a type and a subtype.

type = A, subtype = A1, A2, A3
type = B, subtype = B1, B2
type = C, subtype = (empty list)

So the events might look like this in time order:

event 1, type = C, ...
event 2, type = A, subtype=A3, ...
event 3, type = A, subtype=A1, ...
event 4, type = B, subtype=B2, ...
event 5, etc...

I've done searches similar to the following:

search index=events | stats count(type),count(subtype) by type,subtype

But those results do not exhibit the desired grouping. I would like for the resulting table to look like:

type | count(type) | subtype | count(subtype)
A           2           A1            1
                        A2            1
B           1           B1            1
C           1
0 Karma
1 Solution

lguinn2
Legend

This should work:

search index=events 
| stats count(type) as tcount ,count(subtype) as scount by type,subtype
| stats sum(tcount) as "Type Count" list(scount) as "Subtype Count" list(subtype) as "Subtype" by type

View solution in original post

lguinn2
Legend

This should work:

search index=events 
| stats count(type) as tcount ,count(subtype) as scount by type,subtype
| stats sum(tcount) as "Type Count" list(scount) as "Subtype Count" list(subtype) as "Subtype" by type

somesoni2
Revered Legend

Probably throw a fillnull for subtype before first stats, as it can be null/empty and stats will ignore the type without a subtype.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...