Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Group field values into similar field values?

michaeler
Path Finder
‎02-06-2023 09:16 AM

I am trying to get network outage totals by domain. I have four domains: A, B, C, D. The problem is that sometimes there are outages that effect 2-3 domains that are reported as a different event and not by domain. 

| chart count(event_id) as Count by Domain

A                                           4
B                                           7
C                                           2
D                                           5
A, B                                      2
A, D                                      4
C, B                                      3
A, D, B                                 6

I want to display outages that effect each domain. So anything that includes A (A; A,B; A,D; A,D,B) will be added and the count for A will be 16. Same for the other domains.

The end result should be:
A                            16
B                            18
C                            5
D                            15

I've tried eval domain=if(domain=A OR domain="A, B" OR domain="A, D" OR domain="A, D, B", "A", domain) ....... but that only works for the first one. The combined domains aren't included in the totals for the subsequent if statements.

Labels (3)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎02-06-2023 12:16 PM

Hi

you can do it like this

| makeresults
| eval _raw = "Domain Value
A     4
B     7
C     2
D     5
A,B   2
A,D   4
C,B   3
A,D,B 6"
| multikv fields Domain Value
| fields Domain Value
```Above generate test data. You should replace it by your base search```
| eval Domain = split(Domain, ",")
| mvexpand Domain
| stats sum(Value) as Value by Domain

r. Ismo 

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎02-06-2023 12:16 PM

Hi

you can do it like this

| makeresults
| eval _raw = "Domain Value
A     4
B     7
C     2
D     5
A,B   2
A,D   4
C,B   3
A,D,B 6"
| multikv fields Domain Value
| fields Domain Value
```Above generate test data. You should replace it by your base search```
| eval Domain = split(Domain, ",")
| mvexpand Domain
| stats sum(Value) as Value by Domain

r. Ismo 

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-06-2023 11:57 PM

@isoutamo 's solution works - one tweak I would make is to remove the mvexpand as it is unnecessary as stats will work over the elements of the multivalue field mentioned in the by clause.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎02-07-2023 07:44 AM
Thanx good to remember!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...