Splunk Search

How to group by forcing line value

Explorer

Hi,

I want to show how many lines contains some value even if no line return.

My data :

Row 1 :
F1: a
Row 2 :
F1: b

Result desired on table :
F1 => Nb
a => 1
b => 1
c => 0

Tags (3)
1 Solution

Esteemed Legend

Like this:

|makeresults
| eval host="All real events will have a 'host' value"
| eval F1="a b"
| makemv F1
| mvexpand F1

| rename COMMENT AS "Everything above generates sample events; everything below is your solution"

| append [|makeresults
| rename COMMENT AS "This would better be done using a 'lookup' file with ' |inputlookup append=t' instead of '|makeresults ...'"
| eval F1="a b c d e f list all possible values here"
| makemv F1 ]
| stats count(host) AS Nb BY F1

View solution in original post

Esteemed Legend

Like this:

|makeresults
| eval host="All real events will have a 'host' value"
| eval F1="a b"
| makemv F1
| mvexpand F1

| rename COMMENT AS "Everything above generates sample events; everything below is your solution"

| append [|makeresults
| rename COMMENT AS "This would better be done using a 'lookup' file with ' |inputlookup append=t' instead of '|makeresults ...'"
| eval F1="a b c d e f list all possible values here"
| makemv F1 ]
| stats count(host) AS Nb BY F1

View solution in original post

Explorer

Thanks your solution works. I add this :

|append [| makeresults | eval F1 ="a b c" | makemv F1] | stats count(host) as Nb BY F1

0 Karma

SplunkTrust
SplunkTrust

@woodcock answered a very similar question a while back. Check out https://answers.splunk.com/answers/566928/how-to-find-missing-values-from-a-search-events-co-1.html

Motivator

Do you have a master list of all possible values for F1? If yes, is it in a lookup file?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!