Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use part of field names for grouping operations in a search?

zaphod1984
Path Finder
‎06-09-2016 12:08 AM

I have log messages in the following format:

_time=... a_foo=10 a_bar=1 a_baz=20
_time=... a_foo=1 a_bar=2 a_baz=1
_time=... a_foo=5 a_bar=5 a_baz=3

I want to take all fields starting with 'a_' and use the second part of the field name as the value which is used for a grouping operation
That means, when I'm using a query like this:

index=foo | ...<insert magic here>... | stats sum(...) by ...

a result like this should be returned:

foo=16 bar=8 baz=24

Is a transformation like this somehow possible?

Thank you!

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎06-09-2016 02:49 AM

Hi zaphod1984,

sure you can do this in Splunk 😉 Using stats you can run this run everywhere search to learn how this can be done:

| gentimes start=-1 | eval _time=now(), a_foo=10, a_bar=1, a_baz=20 | stats values(a_*) AS * by _time

the result looks like this:

alt text

Hope this helps and if not, adapt it to your needs ...

cheers, MuS

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution

zaphod1984
Path Finder
‎06-09-2016 02:50 AM

I found out how to do it by myself, for future reference:

first i filter all the fields that are interesting to me (the a_* fields), than via sum(*) as * a sum is built over every field in the result set with the name of the field as the column, hence the as * part.

index=foo | fields + a_* | stats sum(*) as *

this leaves us with a result in the form 

a_foo a_bar a_baz
16    8     24

if we now want to do a pie chart over the result strange things happen as the pie chart only takes the values of the first columns into acount, this can be easily mitigated via transpose:

index=foo | fields + a_* | stats sum(*) as * | transpose

the result now is:

a_foo 16
a_bar 8
a_baz 24

for my use case this is perfectly fine, one could additionally to a rename if necessary

if instead of a stat a timechartis required, the following approach works:
like in the stat version filter the fields by a_*, via the table format the order of the columns is changed as for a timechart the _time field has to be the first column. the subsequent timechart command than groups via sum(*) as * like in the stats example

index=foo | fields + a_* | table _time * | timechart span=10m sum(*) as *
0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎06-09-2016 02:49 AM

Hi zaphod1984,

sure you can do this in Splunk 😉 Using stats you can run this run everywhere search to learn how this can be done:

| gentimes start=-1 | eval _time=now(), a_foo=10, a_bar=1, a_baz=20 | stats values(a_*) AS * by _time

the result looks like this:

alt text

Hope this helps and if not, adapt it to your needs ...

cheers, MuS

Preview file
1 KB
Reply
Solved! Jump to solution

zaphod1984
Path Finder
‎06-09-2016 02:54 AM

thank you very much, you have been a little bit faster than me with answering 🙂

that feature with the implicit extraction from the field name via values(a_*) AS * is very cool!
would this still work if there very multiple combinations like a_foo, a_bar, b_baz?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...