Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use part of field names for grouping operations in a search?

zaphod1984
Path Finder
‎06-09-2016 12:08 AM

I have log messages in the following format:

_time=... a_foo=10 a_bar=1 a_baz=20
_time=... a_foo=1 a_bar=2 a_baz=1
_time=... a_foo=5 a_bar=5 a_baz=3

I want to take all fields starting with 'a_' and use the second part of the field name as the value which is used for a grouping operation
That means, when I'm using a query like this:

index=foo | ...<insert magic here>... | stats sum(...) by ...

a result like this should be returned:

foo=16 bar=8 baz=24

Is a transformation like this somehow possible?

Thank you!

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎06-09-2016 02:49 AM

Hi zaphod1984,

sure you can do this in Splunk 😉 Using stats you can run this run everywhere search to learn how this can be done:

| gentimes start=-1 | eval _time=now(), a_foo=10, a_bar=1, a_baz=20 | stats values(a_*) AS * by _time

the result looks like this:

alt text

Hope this helps and if not, adapt it to your needs ...

cheers, MuS

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution

zaphod1984
Path Finder
‎06-09-2016 02:50 AM

I found out how to do it by myself, for future reference:

first i filter all the fields that are interesting to me (the a_* fields), than via sum(*) as * a sum is built over every field in the result set with the name of the field as the column, hence the as * part.

index=foo | fields + a_* | stats sum(*) as *

this leaves us with a result in the form 

a_foo a_bar a_baz
16    8     24

if we now want to do a pie chart over the result strange things happen as the pie chart only takes the values of the first columns into acount, this can be easily mitigated via transpose:

index=foo | fields + a_* | stats sum(*) as * | transpose

the result now is:

a_foo 16
a_bar 8
a_baz 24

for my use case this is perfectly fine, one could additionally to a rename if necessary

if instead of a stat a timechartis required, the following approach works:
like in the stat version filter the fields by a_*, via the table format the order of the columns is changed as for a timechart the _time field has to be the first column. the subsequent timechart command than groups via sum(*) as * like in the stats example

index=foo | fields + a_* | table _time * | timechart span=10m sum(*) as *
0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎06-09-2016 02:49 AM

Hi zaphod1984,

sure you can do this in Splunk 😉 Using stats you can run this run everywhere search to learn how this can be done:

| gentimes start=-1 | eval _time=now(), a_foo=10, a_bar=1, a_baz=20 | stats values(a_*) AS * by _time

the result looks like this:

alt text

Hope this helps and if not, adapt it to your needs ...

cheers, MuS

Preview file
1 KB
Reply
Solved! Jump to solution

zaphod1984
Path Finder
‎06-09-2016 02:54 AM

thank you very much, you have been a little bit faster than me with answering 🙂

that feature with the implicit extraction from the field name via values(a_*) AS * is very cool!
would this still work if there very multiple combinations like a_foo, a_bar, b_baz?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...