Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display results grouping events by the field which is not part of event ?

sangs8788
Communicator
‎08-15-2017 10:54 PM

I have a lookup file with Release Number and Dates of Release.

Below query lists me the count of events which occured during release.

index=app  [|inputlookup ReleaseCalender.csv |sort Release ASC| reverse |streamstats current=f last(Production) as latest|rename Production as earliest| where Release="1"| table earliest, latest| convert mktime(*) timeformat="%d/%m/%Y"| format "" "" "" "" "" ""| rex field=search mode=sed "s/\"//g"] | stats count

is it possible to group the number of events by Release field, which is not part of events at all - but has the timestart and timeend for grouping ? Something like below result

Release Count
1 100
2 50
3 200

Thanks

Tags (2)
0 Karma
Reply

DalJeanis
Legend
‎08-16-2017 09:14 AM 
index=app  
| rename COMMENT as "for counting events by release, we only need the _time and a record type marker"
| eval rectype="detail"
| fields rectype

| rename COMMENT as "now we add the release records and sort them in front of any events on the same date"
| append [| inputlookup append=t ReleaseCalender.csv | table Release Production | rename Production as _time | eval rectype="deleteme"]
| sort 0 _time rectype

| rename COMMENT as "copy the Release onto all succeeding records until the next Release record, default nulls to zero."
| streamstats last(Release) as Release
| eval Release=coalesce(Release,"0")

| rename COMMENT as "kill the Release records then stats it up"
| search rectype="detail"
| stats count as Count by Release
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...