Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

aggregating stats by wildcard or arbitrary number of fields

mikesherov
Engager
‎08-31-2012 05:45 AM

Imagine I have the following data:

msg     uid      AB_test1     AB_test2
click   1        A            A
reqst   2        B            A
click   3        B            B
reqst   4        A            B
click   5        B            A
reqst   6        B            A
click   7        A            A
reqst   8        A            B

I want to do a stats query aggregating the results of my various AB tests for the "click" msg. I can do this:

msg="click" | stats count by AB_test1, AB_test2

But imagine I now have AB_test3 through AB_test10 or a variable number of tests running at once. I don't want to have to do this:

msg="click" | stats count by AB_test1, AB_test2, ... AB_test10

I'd like to do something similar to this:

msg="click" | stats count by AB_*

Is this possible, or is there some similar syntax that essentially groups data by an arbitrary set of fields?

Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎08-31-2012 08:11 AM

I'm pretty sure that this technique will fall apart if you want to do anything more complicated, but ..

| inputlookup example.csv | fields - uid | search msg="click" | stats count(AB*) | transpose | rex field=column ^count\((?<column>.*?)\) | rename column as field | rename "row 1" as count

returns

field   count
AB_test1    4
AB_test2    4

View solution in original post

Reply
Solved! Jump to solution

lguinn2
Legend
‎08-31-2012 08:17 AM

I suppose that there is no hope of transforming the data into this format:

msg uid testName testResult

click 1 test1 A

click 1 test2 A

BTW, it would be nice if you could wildcard the stats command as you showed! But you can't, and I can't see any other easy way to do what you want.

0 Karma
Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎08-31-2012 08:11 AM

I'm pretty sure that this technique will fall apart if you want to do anything more complicated, but ..

| inputlookup example.csv | fields - uid | search msg="click" | stats count(AB*) | transpose | rex field=column ^count\((?<column>.*?)\) | rename column as field | rename "row 1" as count

returns

field   count
AB_test1    4
AB_test2    4
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...