Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to form a search based on my data and my desired output?

rsathish47
Contributor
‎12-21-2016 09:49 PM

Hi All,

I have the below format of data 

Name    Value
1-Jan   A
2-Jan   B
2-Jan   B
3-Jan   C
2-Feb    A
1-Mar   V
2-Mar   B
3-Mar   C

Output needs to be like this

Name    Value
Jan   3
FEB   3
Mar      4

Please help me format the search.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-24-2017 11:41 PM

This one was fun (mostly because I enjoyed the brain-teaser of figuring out what exactly you were doing to get the shown outcome):

|makeresults | eval raw="1-Jan    A::2-Jan    B::2-Jan    B::3-Jan    C::2-Feb    A::1-Mar    V::2-Mar    B::3-Mar    C"
| makemv delim="::" raw
| mvexpand raw
| rename raw AS _raw
| rex "(?<Name>\S+)\s+(?<Value>.*)"
| fields - _raw _time

| rename COMMENT AS "Everything above is faking the data; Everthing below is your solution"

| rex field=Name mode=sed "s/^\d+\-//"
| eval Name=strftime(strptime(Name . " 1 2017", "%b %d %Y"), "%m")
| sort 0 Name
| stats values(Value) AS Value BY Name
| streamstats values(Value) AS Value
| stats dc(Value) AS Value BY Name
| fieldformat Name=strftime(strptime(Name . " 1 2017", "%m %d %Y"), "%b")
0 Karma
Reply

gokadroid
Motivator
‎12-21-2016 10:35 PM

Give this a try if you want to count based on the month and how many times it occurred:

your query to return the data as given in question
| rex field=Name "\-(?<month>.*)"
| stats count by month
| rename month as Name

Updating as per info given in comments

your query to return the data as given in question
| rex field=Name "\-(?<Name>.*)"
| streamstats dc(Value) as Value
| stats last(Value) by Name
Reply

rsathish47
Contributor
‎12-21-2016 11:23 PM

I tried it but it is not giving right count.

i want dedup month
Jan --> dedup till Jan --> 3
FEB --> dedup till Feb---> 3
Mar--> dedup till Mar---> 4

0 Karma
Reply

somesoni2
Revered Legend
‎12-21-2016 09:54 PM

Try this (assuming format of field Name is %d-%b , date-month AND you want to count how many distinct values of field 'Value' is available in the month)

your current search giving field Name, Value
| eval Name=mvindex(split(Name,"-")-1) 
| stats dc(Value) as Value by Name

If this is not what you want, please provide more details on your requirement/data.

Reply

rsathish47
Contributor
‎12-21-2016 10:46 PM

Thank You for the query
I got below output but it is not correct output
Name Value
Feb 1
Jan 3
Mar 3

i want dedup month
Jan --> dedup till Jan --> 3
FEB --> dedup till Feb---> 3
Mar--> dedup till Mar---> 4
...
Please help me

0 Karma
Reply

somesoni2
Revered Legend
‎12-21-2016 11:39 PM

What are your exact requirements? I get you're deduping but what are you doing exactly (more details)?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...