Splunk Search
Highlighted

Want to do GROUP BY to my result set

Contributor

Hi,

My input is :

Name File Grade


abhay file1 A
murari file2 B
abhay file3 C
abhay file4 A
trid file5 D
murari file4 E

My output should be :

Name File Grade


abhay 3 A,C
murari 2 B,E
trid 1 D

Means, Abhay is having 3 files, Murari is having 2files and trid is having 1 files along with their corresponding GRADE.

Please help !!

Thanks in advance,
Abhay

Tags (3)
Highlighted

Re: Want to do GROUP BY to my result set

Champion

I wrote this off the cuff so it might work or give you a few Ideas.


... | eval Grade=(Name=Name,mvjoin(Grade,","), Grade) |stats count(file) as file values(Grade) by Name

0 Karma
Highlighted

Re: Want to do GROUP BY to my result set

Contributor

index="a" |where isnotnull(Grade) | eval Grade=(Name=Name,mvjoin(Grade,","), Grade) |stats count(file) as file values(Grade) by Name

I am giving this query but getting the following error :

[EventsViewer module] Error in 'eval' command: The expression is malformed. Expected ).

0 Karma
Highlighted

Re: Want to do GROUP BY to my result set

Contributor

Thanks a lot for your assistance !!

0 Karma
Highlighted

Re: Want to do GROUP BY to my result set

Champion

Did my search work for you or do you still need assistance? You shouldn't need the where statement.

... | eval Grade=if(Name=Name,mvjoin(Grade,","), Grade) |stats count(file) as file values(Grade) by Name

for got my if statment

Highlighted

Re: Want to do GROUP BY to my result set

Splunk Employee
Splunk Employee

guys, if you want your answers to be accepted, don't write then as comments.
You should repost as an answer to get karma 🙂

Highlighted

Re: Want to do GROUP BY to my result set

Splunk Employee
Splunk Employee

* | stats dc(File) AS "number of distinct files" values(File) AS "List of Files" values(Grade) AS "List of Grades" by Name

You are welcome.

Highlighted

Re: Want to do GROUP BY to my result set

Explorer

Awesome i was sort of working in the same direction. The problem i am having is that now that i have a MV Field, i can't sort the field. So below shows an example of one of the fields returned. What i need to do is order the MV field so when i go after the indexes of the MV field i am getting back the correct number. Unfortunately the app server doesn't give them to me in order. So if i just did the index of 16 below i would get 31, but what should actually be the 16th index is 190. So how to sort the values of an MV field?

rexLatency
1

0
31
0
31
31
26
0
177
190
179
190
190
185
179
31
31

0 Karma
Highlighted

Re: Want to do GROUP BY to my result set

Splunk Employee
Splunk Employee

I do not know multivalue sorting tools out of the box, you may want to read this one http://answers.splunk.com/answers/11394/is-it-possible-to-sort-or-reorder-a-multivalue-field

0 Karma
Highlighted

Re: Want to do GROUP BY to my result set

Explorer

This is wonderful. values(xxx) function did it. This is exactly what I'm after.

0 Karma