Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to form a search based on my data and my desired output?

rsathish47
Contributor
‎12-21-2016 09:49 PM

Hi All,

I have the below format of data 

Name    Value
1-Jan   A
2-Jan   B
2-Jan   B
3-Jan   C
2-Feb    A
1-Mar   V
2-Mar   B
3-Mar   C

Output needs to be like this

Name    Value
Jan   3
FEB   3
Mar      4

Please help me format the search.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-24-2017 11:41 PM

This one was fun (mostly because I enjoyed the brain-teaser of figuring out what exactly you were doing to get the shown outcome):

|makeresults | eval raw="1-Jan    A::2-Jan    B::2-Jan    B::3-Jan    C::2-Feb    A::1-Mar    V::2-Mar    B::3-Mar    C"
| makemv delim="::" raw
| mvexpand raw
| rename raw AS _raw
| rex "(?<Name>\S+)\s+(?<Value>.*)"
| fields - _raw _time

| rename COMMENT AS "Everything above is faking the data; Everthing below is your solution"

| rex field=Name mode=sed "s/^\d+\-//"
| eval Name=strftime(strptime(Name . " 1 2017", "%b %d %Y"), "%m")
| sort 0 Name
| stats values(Value) AS Value BY Name
| streamstats values(Value) AS Value
| stats dc(Value) AS Value BY Name
| fieldformat Name=strftime(strptime(Name . " 1 2017", "%m %d %Y"), "%b")
0 Karma
Reply

gokadroid
Motivator
‎12-21-2016 10:35 PM

Give this a try if you want to count based on the month and how many times it occurred:

your query to return the data as given in question
| rex field=Name "\-(?<month>.*)"
| stats count by month
| rename month as Name

Updating as per info given in comments

your query to return the data as given in question
| rex field=Name "\-(?<Name>.*)"
| streamstats dc(Value) as Value
| stats last(Value) by Name
Reply

rsathish47
Contributor
‎12-21-2016 11:23 PM

I tried it but it is not giving right count.

i want dedup month
Jan --> dedup till Jan --> 3
FEB --> dedup till Feb---> 3
Mar--> dedup till Mar---> 4

0 Karma
Reply

somesoni2
Revered Legend
‎12-21-2016 09:54 PM

Try this (assuming format of field Name is %d-%b , date-month AND you want to count how many distinct values of field 'Value' is available in the month)

your current search giving field Name, Value
| eval Name=mvindex(split(Name,"-")-1) 
| stats dc(Value) as Value by Name

If this is not what you want, please provide more details on your requirement/data.

Reply

rsathish47
Contributor
‎12-21-2016 10:46 PM

Thank You for the query
I got below output but it is not correct output
Name Value
Feb 1
Jan 3
Mar 3

i want dedup month
Jan --> dedup till Jan --> 3
FEB --> dedup till Feb---> 3
Mar--> dedup till Mar---> 4
...
Please help me

0 Karma
Reply

somesoni2
Revered Legend
‎12-21-2016 11:39 PM

What are your exact requirements? I get you're deduping but what are you doing exactly (more details)?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...