Splunk Search

How to group values of the same field and display timechart counts for each group month over month?

tmaltizo
Path Finder

I first need to group values of the same field...

Group1 (values match A1, A2, A3,...)
Group2 (values match B1, B2, B3,...)
Group3 (values match C1, C2, C3,...)

...then, I need to display the counts for each group (Group1, Group2, Group3) month-over-month.

Thanks for any assistance!
Trista

0 Karma

jkat54
SplunkTrust
SplunkTrust
 ...| eval group1=if(match(fieldName,"A.*"),1,0) | eval group2=if(match(fieldName,"B.*"),1,0) | eval group3=if(match(fieldName,"C.*"),1,0) | stats count by group*



 The A.*, B.*, & C.* should be regular expressions that match the value of FieldName to the desired/correct group number.


 The stats group* will do the count for each group. 


 The "..." Is where you put your foot search.

FieldName should be the name of the field that contains the data

Let me know if that helps!

0 Karma

tmaltizo
Path Finder

Thanks for your response @jkat54!

I tried running specifically the following...

... | eval group1=if(match(message_subject,"CyFin"),1,0) | stats count by group*

I'm getting the error below...

Error in 'eval' command: Regex: nothing to repeat
The search job has failed due to an error. You may be able to view the job in the Job Inspector.

Please advise.....

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you put .* in front of and behind CyFin , what happens?

0 Karma

tmaltizo
Path Finder

@jkat54

I'm getting numbers for each of the following searches. I just want to put them together in one search and output each count....

Note that asterisks are in the front and back of each string within the quotes and no backslashes.

  • index=index message_subject="[CyFin" | stats count(message_subject)
  • index=index message_subject="[CyberIntel Confidential]" | stats count(message_subject)
  • index=index message_subject="[TNT-" | stats count(message_subject)

Thanks for your continued help!

0 Karma

jkat54
SplunkTrust
SplunkTrust

If they are all in the same index you can do this:

     index=index | stats count by message_subject

OR

     index=index message_subject="[TNT-" OR message_subject="[CyberIntel Confidential]" OR message_subject="[CyFin" | stats count by message_subject

 

If they are in different indexes, you can do this:

     index=index1 message_subject="[TNT-" OR index=index2 message_subject="[CyberIntel Confidential]" OR index=index3 message_subject="[CyFin" | stats count by message_subject

0 Karma

jkat54
SplunkTrust
SplunkTrust
 index=index message_subject="example1" OR message_subject="example2" OR message_subject="example3" | stats count by message_subject
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...