Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

count(var) by "a list of values within a field"

ndey
New Member
‎08-20-2018 04:18 AM

First of all, sorry, if I am missing something really obvious here but after hours of googling I am still stuck with the following problem.

Basically I have a list of URLs and a score in the format like that:

http://www.abc.com/abc/abc.html 50
http://www.abc.com/abc/abc.html 30
www.xyz.org/asd/ 12
qwer.com/asd 7

What I try to achieve now is to group some of the URLs and have the sum of the score displayed in a table. For example:

abc.com & xyz.org = "External Sites" will then lead to the following table:

`Site name | Sum

External Sites | 92`

The approach so far is to have an

| eval siteName = if(match(url, [some regex], ...)

add a new field with the site name which works.

The interesting part now is, that some of the groups might not have events present all the time and | stats sum(score) as Sum by siteName obviously gives me only sum of the groups that are present.

Is there any way to give me a table for an list of sitenames that "could" be there like the following:

`Site name | Sum

External Sites | 92
Internal Sites | 0`

Thank you very much in advance

Andreas

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-20-2018 04:52 AM

Try setting the sums to zero before the stats command.

... | eval 'External Sites'=0, 'Internal Sites'=0 | stats sum(...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ndey
New Member
‎08-21-2018 01:18 AM

Whoops, I just realized, that the example tables I put into the post are messed up, which might have made the desired format a bit unclear. Here is another try

Site Name - Sum
...............................
Internal Sites - 20
External Sites - 40

The problem is I am looking for a way to have one filed containing tags like "External Sites", "Internal Sites" .... and then sum up the score by these tags

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2018 04:54 AM

You have the general idea in your original question. Use case to evaluate URLs as either internal or external. Then use the stats command to count internal vs external sites.

... | eval siteName = case(if(match(url, "something that matches internal sites"),"internal", 1=1, "external") | eval external=0, internal=0 | stats sum by siteName

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...