Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to group multiple field values into one field
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DEAD_BEEF
Builder
03-26-2019
06:21 AM
I have logs where I want to count multiple values for a single field as "start" and other various values as "end". How would I go about this? I want to be able to show two rows or columns where I show the total number of start and end values.
index=foo (my_field=1 OR my_field=2 OR my_field=3 OR my_field=4 OR my_field=5 OR my_field=6)
| eval start = my_field=1 OR my_field=2 OR my_field=3
| eval end = my_field=4 OR my_field=5 OR my_field=6
| stats count by start end
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DEAD_BEEF
Builder
03-26-2019
06:36 AM
I ended up using case
index=foo (my_field=1 OR my_field=2 OR my_field=3 OR my_field=4 OR my_field=5 OR my_field=6)
| eval status=case(my_field=1 "start", my_field=2 "start", my_field=3 "start", my_field=4 "end", my_field=5 "end", my_field=6 "end")
| stats count by status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DEAD_BEEF
Builder
03-26-2019
06:36 AM
I ended up using case
index=foo (my_field=1 OR my_field=2 OR my_field=3 OR my_field=4 OR my_field=5 OR my_field=6)
| eval status=case(my_field=1 "start", my_field=2 "start", my_field=3 "start", my_field=4 "end", my_field=5 "end", my_field=6 "end")
| stats count by status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-26-2019
06:44 AM
That would be the way to go. A minor cosmetic change (clubbing multiple conditions together, adding else/default forrest of values/conditions):
index=foo (my_field=1 OR my_field=2 OR my_field=3 OR my_field=4 OR my_field=5 OR my_field=6)
| eval status=case(my_field=1 OR my_field=2 OR my_field=3, "start", true(), "end")
| stats count by status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
khreddy
Explorer
03-26-2019
10:12 PM
You could use "in" function to check the static value list to the above query:
index=foo (my_field=1 OR my_field=2 OR my_field=3 OR my_field=4 OR my_field=5 OR my_field=6)
| eval status=case(in(my_field,1,2,3),"Start",in(my_field,4,5,6),"End",1==1,NULL)
| stats count by status
Get Updates on the Splunk Community!
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...
