Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add all events of a field, save them in a new variable and append the new variable to the original field

vshakur
Path Finder
‎08-07-2017 04:44 AM

I have a field called suite_name that consists of several suites, each of which has many events.

I would like to combine all those events into a single suite (called all_suites). In other words, I'd like to create a new suite that would contain all the events of all the suites from the suite_name field.

Next, I would like to add the newly created all_suites suite to all the other suites (i.e. append all_suites to suite_name), so that suite_name (or any other variable) would contain all the original suites in addition to the all_suites suite.

Thanks,
Samuel

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-07-2017 05:37 AM

There are a lot of different things that you could mean when you ask that. Could you please give an example of the data?

For instance, you could have this...

Suite        EventCount
S-100          5
S-101          2
S-102          6

and want this added...

All Suites    13

In which case, what you want is 

|  addtotals EventCount row=f col=t fieldname=Suite labelfield="All Suites"

Or you could have this... 

Suite        S-100       S-101       S-101
Events           5           2           6

And want this...

Suite        S-100       S-101       S-101    All Suites
Events           5           2           6          13

...in which case you do this...

|  addtotals EventCount row=t col=f label="All Suites"

Or you could have this 

Suite        Event
S-100        birthday party 8/15/2017 
             anniversary   8/19/2017
S-101        scifi convention 8/15/2017
             scifi convention 8/16/2017
S-102        scifi convention 8/15/2017
             scifi convention 8/16/2017
             dance party 8/21/2017

and want this added

Suite        Event
All Suites  birthday party 8/15/2017 
             anniversary   8/19/2017
             scifi convention 8/15/2017
             scifi convention 8/16/2017
             scifi convention 8/15/2017
             scifi convention 8/16/2017
             dance party 8/21/2017

...In which case it might be something like this... 

   | appendpipe [|eval suite="all Suites"]
  | sort 0 suite event

If you show us your current data format, we can give you explicit advice about what to do.

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-07-2017 05:37 AM

There are a lot of different things that you could mean when you ask that. Could you please give an example of the data?

For instance, you could have this...

Suite        EventCount
S-100          5
S-101          2
S-102          6

and want this added...

All Suites    13

In which case, what you want is 

|  addtotals EventCount row=f col=t fieldname=Suite labelfield="All Suites"

Or you could have this... 

Suite        S-100       S-101       S-101
Events           5           2           6

And want this...

Suite        S-100       S-101       S-101    All Suites
Events           5           2           6          13

...in which case you do this...

|  addtotals EventCount row=t col=f label="All Suites"

Or you could have this 

Suite        Event
S-100        birthday party 8/15/2017 
             anniversary   8/19/2017
S-101        scifi convention 8/15/2017
             scifi convention 8/16/2017
S-102        scifi convention 8/15/2017
             scifi convention 8/16/2017
             dance party 8/21/2017

and want this added

Suite        Event
All Suites  birthday party 8/15/2017 
             anniversary   8/19/2017
             scifi convention 8/15/2017
             scifi convention 8/16/2017
             scifi convention 8/15/2017
             scifi convention 8/16/2017
             dance party 8/21/2017

...In which case it might be something like this... 

   | appendpipe [|eval suite="all Suites"]
  | sort 0 suite event

If you show us your current data format, we can give you explicit advice about what to do.

Reply
Solved! Jump to solution

vshakur
Path Finder
‎08-07-2017 07:25 AM

Your last suggestion helped me finally solve the problem. I used append instead of appendpipe.
Thanks.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-07-2017 09:17 AM

Good enough. Yes, you can create a different search and append that onto the end of the first.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎08-07-2017 04:57 AM

have you looked into creating a tag? http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Knowledge/Abouttagsandaliases
you can assign multiple values into one field. i think this might be what you're looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...