Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to group by forcing line value
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
matimat
Explorer
11-04-2019
12:02 PM
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-04-2019
06:12 PM
Like this:
|makeresults
| eval host="All real events will have a 'host' value"
| eval F1="a b"
| makemv F1
| mvexpand F1
| rename COMMENT AS "Everything above generates sample events; everything below is your solution"
| append [|makeresults
| rename COMMENT AS "This would better be done using a 'lookup' file with ' |inputlookup append=t' instead of '|makeresults ...'"
| eval F1="a b c d e f list all possible values here"
| makemv F1 ]
| stats count(host) AS Nb BY F1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-04-2019
06:12 PM
Like this:
|makeresults
| eval host="All real events will have a 'host' value"
| eval F1="a b"
| makemv F1
| mvexpand F1
| rename COMMENT AS "Everything above generates sample events; everything below is your solution"
| append [|makeresults
| rename COMMENT AS "This would better be done using a 'lookup' file with ' |inputlookup append=t' instead of '|makeresults ...'"
| eval F1="a b c d e f list all possible values here"
| makemv F1 ]
| stats count(host) AS Nb BY F1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
matimat
Explorer
11-05-2019
12:16 AM
Thanks your solution works. I add this :
|append [| makeresults | eval F1 ="a b c" | makemv F1] | stats count(host) as Nb BY F1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nplamondon
Communicator
11-04-2019
04:22 PM
@woodcock answered a very similar question a while back. Check out https://answers.splunk.com/answers/566928/how-to-find-missing-values-from-a-search-events-co-1.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
arjunpkishore5
Motivator
11-04-2019
01:02 PM
Do you have a master list of all possible values for F1? If yes, is it in a lookup file?
Get Updates on the Splunk Community!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Wednesday, May 29, 2024 | 11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...
