Splunk Search

How to add all events of a field, save them in a new variable and append the new variable to the original field

vshakur
Path Finder

I have a field called suite_name that consists of several suites, each of which has many events.

I would like to combine all those events into a single suite (called all_suites). In other words, I'd like to create a new suite that would contain all the events of all the suites from the suite_name field.

Next, I would like to add the newly created all_suites suite to all the other suites (i.e. append all_suites to suite_name), so that suite_name (or any other variable) would contain all the original suites in addition to the all_suites suite.

Thanks,
Samuel

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

There are a lot of different things that you could mean when you ask that. Could you please give an example of the data?

For instance, you could have this...

Suite        EventCount
S-100          5
S-101          2
S-102          6

and want this added...

All Suites    13

In which case, what you want is

|  addtotals EventCount row=f col=t fieldname=Suite labelfield="All Suites"

Or you could have this...

Suite        S-100       S-101       S-101
Events           5           2           6

And want this...

Suite        S-100       S-101       S-101    All Suites
Events           5           2           6          13

...in which case you do this...

|  addtotals EventCount row=t col=f label="All Suites"

Or you could have this

Suite        Event
S-100        birthday party 8/15/2017 
             anniversary   8/19/2017
S-101        scifi convention 8/15/2017
             scifi convention 8/16/2017
S-102        scifi convention 8/15/2017
             scifi convention 8/16/2017
             dance party 8/21/2017

and want this added

Suite        Event
All Suites  birthday party 8/15/2017 
             anniversary   8/19/2017
             scifi convention 8/15/2017
             scifi convention 8/16/2017
             scifi convention 8/15/2017
             scifi convention 8/16/2017
             dance party 8/21/2017

...In which case it might be something like this...

   | appendpipe [|eval suite="all Suites"]
  | sort 0 suite event

If you show us your current data format, we can give you explicit advice about what to do.

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

There are a lot of different things that you could mean when you ask that. Could you please give an example of the data?

For instance, you could have this...

Suite        EventCount
S-100          5
S-101          2
S-102          6

and want this added...

All Suites    13

In which case, what you want is

|  addtotals EventCount row=f col=t fieldname=Suite labelfield="All Suites"

Or you could have this...

Suite        S-100       S-101       S-101
Events           5           2           6

And want this...

Suite        S-100       S-101       S-101    All Suites
Events           5           2           6          13

...in which case you do this...

|  addtotals EventCount row=t col=f label="All Suites"

Or you could have this

Suite        Event
S-100        birthday party 8/15/2017 
             anniversary   8/19/2017
S-101        scifi convention 8/15/2017
             scifi convention 8/16/2017
S-102        scifi convention 8/15/2017
             scifi convention 8/16/2017
             dance party 8/21/2017

and want this added

Suite        Event
All Suites  birthday party 8/15/2017 
             anniversary   8/19/2017
             scifi convention 8/15/2017
             scifi convention 8/16/2017
             scifi convention 8/15/2017
             scifi convention 8/16/2017
             dance party 8/21/2017

...In which case it might be something like this...

   | appendpipe [|eval suite="all Suites"]
  | sort 0 suite event

If you show us your current data format, we can give you explicit advice about what to do.

vshakur
Path Finder

Your last suggestion helped me finally solve the problem. I used append instead of appendpipe.
Thanks.

DalJeanis
SplunkTrust
SplunkTrust

Good enough. Yes, you can create a different search and append that onto the end of the first.

0 Karma

cmerriman
Super Champion

have you looked into creating a tag? http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Knowledge/Abouttagsandaliases
you can assign multiple values into one field. i think this might be what you're looking for.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...