Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a SPL query pattern that can perform hierarchical counting?

jfhopkins2
Engager
‎12-01-2020 01:57 PM

Is there a SPL query pattern that can perform "hierarchical counting" beyond the two levels of depth outlined in these linked answers?

https://community.splunk.com/t5/Splunk-Search/How-to-group-by-host-then-severity-and-include-a-count...

https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331415

https://community.splunk.com/t5/Splunk-Search/How-do-you-order-stats-by-multiple-hierarchical-fields...

For example, assume a dataset of car make, model, and transmission type. Show the count by make, then count by make and model, then count by make and model and transmission type. That's 3 levels of depth.

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2020 04:01 PM 
| stats count by make model transmission
| eventstats sum(count) as count_m_m by make model
| eventstats sum(count) as count_m by make

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2020 04:01 PM 
| stats count by make model transmission
| eventstats sum(count) as count_m_m by make model
| eventstats sum(count) as count_m by make
0 Karma
Reply
Solved! Jump to solution

jfhopkins2
Engager
‎12-02-2020 04:01 PM

That worked nicely, thank you! I wish that I had an easier time thinking this way in SPL.

I added a table with the make, make count, model, model count, transmission and transmission count, and that did the trick. Now I'm going to move onto list value deduping to reduce clutter and see if I can get the different levels of hiearchical counting to line up visually. I'm not holding a lot of confidence in my prospects that way, but you solved the fundamental counting query flow. Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...