Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a list of fields in a table with stats displayed on the Selected Fields sidebar, including rare 10 values, their counts, and percentages?

landen99
Motivator
‎09-09-2015 07:27 AM

I want to take a list of fields and show the stats displayed on the Selected fields sidebar in a table.

When we do a search, on the left side there is a Selected Fields section. When we click on a field, we see stats on that field, including:
Percent of events overall
Top 10 values and their counts and percents

I would like to put these into a table for each field specified (not just top), and other stats too.

I am also interested in other stats for each field:
Rare 10 values and their counts and percents
Values which deviate from the standard pattern

Table:

Type Field Value Count %
All user ALL 99 99%
Top 1 user abc 12 12%
Top 2 ...
Bottom 1 user xyz 13 13%
All dest ALL 98 98%
...

Maybe it will involve append using top and rare, or perhaps fieldsummary? but is it possible to use eventstats? like:

| table field1 field2 |  eventstats count percent by *

fieldsummary has no percent and the values are not well formatted. Plus, there are a lot of extra fields there as well. Perhaps I need to manually format it or are there functions which assist with the formatting and rendering of the data? It also does not seem to show rare values.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

landen99
Motivator
‎09-09-2015 08:15 AM 
index=myindex | table field1 | appendpipe [| top field1 | eval category="top" ] | appendpipe [| rare field1 | eval category="rare" ] | appendpipe [| stats sum(count) AS count | eval field1="all" | eval percent=100 | eval category="all"] | search category=*

View solution in original post

0 Karma
Reply
Solved! Jump to solution

landen99
Motivator
‎09-09-2015 09:26 AM

This does not give rare values, but it is fast and gives good stats. Still searching for how to add rare values.

| head 99999 | table field1 | fieldsummary | rename count AS count_all | table field count_all values | eval values=replace(values,"\\\\\\\\","\\") | rex field=values max_match=0 "\{(?<values_line>[^,]*,[^,]*)\},?" | fields - values | mvexpand values_line | rex field=values_line max_match=0 "\"value\":\"(?<value>[^\"]*)\",\"count\":(?<count>\d*)" | eval percent=round(count/count_all*100,2) | table field value count percent count_all | head 99 | appendpipe [| stats first(count_all) AS count_all sum(count) AS count first(field) AS field | eval percent=round(count/count_all*100,2) | eval value="top 100 values" | fields - count_all ] | fields - count_all | sort 0 - percent
0 Karma
Reply
Solved! Jump to solution
Solution

landen99
Motivator
‎09-09-2015 08:15 AM 
index=myindex | table field1 | appendpipe [| top field1 | eval category="top" ] | appendpipe [| rare field1 | eval category="rare" ] | appendpipe [| stats sum(count) AS count | eval field1="all" | eval percent=100 | eval category="all"] | search category=*
0 Karma
Reply
Solved! Jump to solution

landen99
Motivator
‎09-09-2015 07:40 AM

Maybe:

| anomalousvalue action=filter field1 field2

to find the anomalous values but it does not compute counts and percentages.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...