Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to enumerate values in an individual event?

yuanliu
SplunkTrust
SplunkTrust
‎10-15-2014 09:42 AM

In stats, values() can be used to enumerate values fitting the stats criteria. Is there a similar function to do this for individual events? For example, a meal can involve fork, knife and spoon multiple times, but I only want an unordered list of utensils have been used, not the full sequence in which they are used.

Given inputs

07:10 food=milk utensil=bowl utensil=spoon food=cereal utensil=spoon food="scrambled eggs" utensil=fork food=milk utensil=bowl food=banana
12:00  food="hot dog"
18:00  food=salad utensil=fork food=bread utensil=knife food=soup utensil=spoon food=steak utensil=knife utensil=fork food=bread food=apple utensil=knife

I want to have the following utensils values attached to each event:

Breakfast: utensils="bowl, fork, knife, spoon"
Lunch:
Dinner: utensils="fork, knife, spoon"

If there is a field "meal", I can perhaps eventstats values(utensil) as utensils by meal. But meal is not always present. Even _time may not be distinct enough. Besides, when dealing with millions of events, eventstats for values in each events looks insane. Is there a better way?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎10-15-2014 12:04 PM

This may be a bit brute-force-ish, but is a way of running a stats values() by event:

base search | streamstats count | eventstats values(utensil) as utensils by count

May not scale well for zillions of events.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...