Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a SPL query pattern that can perform hierarchical counting?

jfhopkins2
Engager
‎12-01-2020 01:57 PM

Is there a SPL query pattern that can perform "hierarchical counting" beyond the two levels of depth outlined in these linked answers?

https://community.splunk.com/t5/Splunk-Search/How-to-group-by-host-then-severity-and-include-a-count...

https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331415

https://community.splunk.com/t5/Splunk-Search/How-do-you-order-stats-by-multiple-hierarchical-fields...

For example, assume a dataset of car make, model, and transmission type. Show the count by make, then count by make and model, then count by make and model and transmission type. That's 3 levels of depth.

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2020 04:01 PM 
| stats count by make model transmission
| eventstats sum(count) as count_m_m by make model
| eventstats sum(count) as count_m by make

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2020 04:01 PM 
| stats count by make model transmission
| eventstats sum(count) as count_m_m by make model
| eventstats sum(count) as count_m by make
0 Karma
Reply
Solved! Jump to solution

jfhopkins2
Engager
‎12-02-2020 04:01 PM

That worked nicely, thank you! I wish that I had an easier time thinking this way in SPL.

I added a table with the make, make count, model, model count, transmission and transmission count, and that did the trick. Now I'm going to move onto list value deduping to reduce clutter and see if I can get the different levels of hiearchical counting to line up visually. I'm not holding a lot of confidence in my prospects that way, but you solved the fundamental counting query flow. Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...