Splunk Search

How to sort and group data by day and ID?

Yaichael
Communicator

I would like to display the events as the following:

alt text

where it is grouped and sorted by day, and sorted by ID numerically (after converting from string to number). I have only managed to group and sort the events by day, but I haven't reached the desired result.

Any better approach?

Thanks!

Tags (1)
0 Karma
1 Solution

DalJeanis
Legend

Something is very strange about your query. Why are you grouping by amount? Is the amount really always $1? If so, you wouldn't have to group by it. If not, then you probably wouldn't want to group by it.

This is similar to one strategy that I use...

| rex mode=sed field=amount "s/[^\d\.-]//g"
| bucket _time span=1d
| stats count as myCount sum(amount) as myAmount by _time id name
| rename id as IDs
| eval NameCount = name." ----- ".myCount
| stats values(NameCount) as NameCount, sum(myCount) as Count, sum(myAmount) as Total by _time IDs    
| rename COMMENT as "Tne above puts Name and the related Count together line by line into a single multivalue field."

| eval Total = "$".ROUND(Total,2)
| rename Total as "Total_Amount"
| rename NameCount as "Name_____Count_By_Name"
| eval Dates = _time
| sort 0 Dates
| convert timeformat="%m/%d/%Y" ctime(Dates)

View solution in original post

DalJeanis
Legend

Something is very strange about your query. Why are you grouping by amount? Is the amount really always $1? If so, you wouldn't have to group by it. If not, then you probably wouldn't want to group by it.

This is similar to one strategy that I use...

| rex mode=sed field=amount "s/[^\d\.-]//g"
| bucket _time span=1d
| stats count as myCount sum(amount) as myAmount by _time id name
| rename id as IDs
| eval NameCount = name." ----- ".myCount
| stats values(NameCount) as NameCount, sum(myCount) as Count, sum(myAmount) as Total by _time IDs    
| rename COMMENT as "Tne above puts Name and the related Count together line by line into a single multivalue field."

| eval Total = "$".ROUND(Total,2)
| rename Total as "Total_Amount"
| rename NameCount as "Name_____Count_By_Name"
| eval Dates = _time
| sort 0 Dates
| convert timeformat="%m/%d/%Y" ctime(Dates)

Yaichael
Communicator

Thanks for the help.

How can I split the total amount by counted names?

0 Karma

Yaichael
Communicator
(...)
| rex mode=sed field=amount "s/[^\d\.-]//g"
| bucket _time span=1d
| stats count as myCount sum(amount) as myAmount by _time id name
| rename id as IDs
| eval NameCount = name." ----- ".myCount
| eval TotalCount = name." ----- $".myAmount
| stats values(NameCount) as NameCount, sum(myCount) as Count, values(TotalCount) as TotalCount , sum(myAmount) as Total by _time IDs
| eval Total = "$".ROUND(Total,2)
| rename Total as "Total Amount" TotalCount as "Amount by Name"
| rename NameCount as "Names ----- Count by Name"
0 Karma

DalJeanis
Legend

Yes, that should work. you might want to format the Amount by name...

| eval TotalCount = name." ----- $".Round(myAmount,2)

I would tend to put each count and amount into a single field, and align them

(...)
| rex mode=sed field=amount "s/[^\d\.-]//g"
| bucket _time span=1d
| stats count as myCount sum(amount) as myAmount by _time id name
| eval namelen=len(name), amtlen=len(tostr(round(myAmount,2))), countlen=len(tostr(count))
| eventstats max(namelen) as maxname, max(amtlen) as maxamt,max(countlen) as maxcount
| eval biglongspacestring="                             "
| eval namespacer = substr(biglongspacestring,1,1+maxname-namelen)
| eval amtspacer = substr(biglongspacestring,1,1+maxamt-amtlen)
| eval countspacer = substr(biglongspacestring,1,1+maxcount-countlen)
| eval NameCount = name." ".namespacer." ".myCount." ".countspacer.amtspacer." $".tostr(round(myAmount,2))
| stats values(NameCount) as NameCount, sum(myCount) as Count, sum(myAmount) as Total by _time IDs
| eval Total = "$".round(Total,2)
| rename Total as "Total Amount" 
| rename NameCount as "Per Name-----Count-----Amount"
0 Karma

somesoni2
Revered Legend

Give this a try

(...)
 | rex mode=sed field=amount "s/[^\d\.-]//g"
 | bucket _time span=1d
 | stats count by _time id name amount
 | rename id as IDs
 | stats list(name) as Names list(count) as "Count by Name" sum(amount) as "Total Amount" by _time IDs
 | eval "Total Amount" = "$".'Total Amount'
 | eval Date=strftime(_time,"%m/%d/%Y") | fields - _time

Yaichael
Communicator

Thanks. I forgot to put Names as the following:

| stats values(name) as Names (...)

because I would like to have the sum of each unique value of it in: list(count).

0 Karma

somesoni2
Revered Legend

I'm not sure if the two level grouping is possible (group by Date and Group by num, kind of excel type merging/grouping). You may be able to achieve this.

Dates ID Names Count total
Date1 num1 ABC 10 100
           DEF 90
Date1 num2 XYZ 20 50
           PQR 30

If you can post your current query, I can update it to provide above format

0 Karma

Yaichael
Communicator

Thanks for the reply, someoni2.

Here's my current query:

(...)
| rex mode=sed field=amount "s/[^\d\.-]//g"
| bucket _time span=1d
| stats count by _time id name amount
| rename id as IDs
| stats values(_time) as Dates values(name) as Names list(count) as "Count by Name" sum(amount) AS total by IDs
| eval Total = "$".total
| rename Total as "Total Amount"
| fields - total
| sort - Dates
| convert timeformat="%m/%d/%Y" ctime(Dates)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...