Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is there a SPL query pattern that can perform hierarchical counting?

jfhopkins2
Engager
‎12-01-2020 01:57 PM

Is there a SPL query pattern that can perform "hierarchical counting" beyond the two levels of depth outlined in these linked answers?

https://community.splunk.com/t5/Splunk-Search/How-to-group-by-host-then-severity-and-include-a-count...

https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331415

https://community.splunk.com/t5/Splunk-Search/How-do-you-order-stats-by-multiple-hierarchical-fields...

For example, assume a dataset of car make, model, and transmission type. Show the count by make, then count by make and model, then count by make and model and transmission type. That's 3 levels of depth.

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2020 04:01 PM 
| stats count by make model transmission
| eventstats sum(count) as count_m_m by make model
| eventstats sum(count) as count_m by make

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2020 04:01 PM 
| stats count by make model transmission
| eventstats sum(count) as count_m_m by make model
| eventstats sum(count) as count_m by make
0 Karma
Reply
Solved! Jump to solution

jfhopkins2
Engager
‎12-02-2020 04:01 PM

That worked nicely, thank you! I wish that I had an easier time thinking this way in SPL.

I added a table with the make, make count, model, model count, transmission and transmission count, and that did the trick. Now I'm going to move onto list value deduping to reduce clutter and see if I can get the different levels of hiearchical counting to line up visually. I'm not holding a lot of confidence in my prospects that way, but you solved the fundamental counting query flow. Thanks again.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...