Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a SPL query pattern that can perform hierarchical counting?

jfhopkins2
Engager
‎12-01-2020 01:57 PM

Is there a SPL query pattern that can perform "hierarchical counting" beyond the two levels of depth outlined in these linked answers?

https://community.splunk.com/t5/Splunk-Search/How-to-group-by-host-then-severity-and-include-a-count...

https://community.splunk.com/t5/Splunk-Search/Group-by-two-or-many-fields-fields/m-p/331415

https://community.splunk.com/t5/Splunk-Search/How-do-you-order-stats-by-multiple-hierarchical-fields...

For example, assume a dataset of car make, model, and transmission type. Show the count by make, then count by make and model, then count by make and model and transmission type. That's 3 levels of depth.

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2020 04:01 PM 
| stats count by make model transmission
| eventstats sum(count) as count_m_m by make model
| eventstats sum(count) as count_m by make

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-01-2020 04:01 PM 
| stats count by make model transmission
| eventstats sum(count) as count_m_m by make model
| eventstats sum(count) as count_m by make
0 Karma
Reply
Solved! Jump to solution

jfhopkins2
Engager
‎12-02-2020 04:01 PM

That worked nicely, thank you! I wish that I had an easier time thinking this way in SPL.

I added a table with the make, make count, model, model count, transmission and transmission count, and that did the trick. Now I'm going to move onto list value deduping to reduce clutter and see if I can get the different levels of hiearchical counting to line up visually. I'm not holding a lot of confidence in my prospects that way, but you solved the fundamental counting query flow. Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...