Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Search group by parameter

zservati
Explorer
‎01-31-2012 11:27 AM

I am trying to perform a search and using regx and parameter can summarize the result based on two categories which are filing-type and application ( see in bold below). My data looks as listed below for each filing record I have one event in the raw data now I need to get a count for each filing-type and application and the result output should be:

Filing-type Application Count
IRS-941-Payment QUICKBOOKS-DIY 1
SSA-W3-FILING QUICKBOOKS-DIY 1

The basic search perform to get the results below is :

index=efepr Filing was routed from FILING-PROCESSOR RECEIVED

==== Search result

1639] - Filing # 43221772, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {IRS-941-PAYMENT, IRS, QUICKBOOKS-DIY, Y:2012 W:5, RECEIVED}

1539] - Filing # 43221752, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {SSA-W3-FILING, IRS, QUICKBOOKS-DIY, Y:2011 M:1, RECEIVED}

Tags (2)
Reply

hexx
Splunk Employee
Splunk Employee
‎01-31-2012 12:48 PM

Update: Now with in-line field extractions.

Provided that you have successfully extracted the fields "filing-type" (note that Splunk will flatten the dash in that field name to an underscore) and "application", it seems that you are looking for a search like this one :

index=efepr <additional search terms> | rex "\{(?<filing_type>[^,]*?),(?<filing_recipient>[^,]*?),(?<application>[^,]*?),(?<filing_date>[^,]*?),(?<filing_status>[^\}]*?)\}" | stats count by filing_type, application
0 Karma
Reply

zservati
Explorer
‎02-01-2012 01:47 PM

What listed below is the result of the search basically we log this for each filing. Below is a sample what the search returns for two filing records.

1639] - Filing # 43221772, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {IRS-941-PAYMENT, IRS, QUICKBOOKS-DIY, Y:2012 W:5, RECEIVED}

1539] - Filing # 43221752, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {SSA-W3-FILING, IRS, QUICKBOOKS-DIY, Y:2011 M:1, RECEIVED}

0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎02-01-2012 10:22 AM

To help you with that, we'll need to see a couple of sample events.

0 Karma
Reply

zservati
Explorer
‎02-01-2012 09:49 AM

Extracting Filing Type and Application is what I'm struggling for so could you please let me know how I can extract these fields and assign it to two parameters Filing_type and Application, which then as you pointed out I can use stats to group them.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...