grouping field data and count

ritzz · ‎10-04-2023

I have data like provided below:

field A

Field B

Field C

Field D

abc.com

1

AB

CD

1

xyz.com

2

AB

CD

1

abc.com

1

AB

CD

1

xyz.com

2

AB

CD

1

def.com

1

AB

CD

0

I want to group Field A values such that all abc.com value come in 1 row with associated count.

I want output like

field A	count	Field B	Field C	Field D
abc.com	2	1 1	AB CD	1 1
xyz.com	2	2 2	AB CD	1 1
def.com	1	1	AB CD	0

if I take path of stats count then it split field C and D which I don't want, I want them to be uniquely compared as a group value. looking for suggestions. Thanks in advance.

ritzz · ‎10-06-2023

after performing the query

base search |  nomv FieldB | nomv FieldC|  nomv FieldD | stats count values(*) as * by FieldA | foreach FieldB,FieldC FieldD [| eval <<FIELD>>=split(<<FIELD>>,"")]

my result table is like below

field A	count	Field c	Field D	Field E	Field F
abc.com	2	a b	A B	abc.com bcf.com def.com	sub1 sub 2 sub 3
def.com	4	A B	A B	bcc.com xyz.com	sub 5 sub 6 sub 6
efg.com	6	B A	A B	jhg.com abc.com ghj.com	sub 4 sub 7 sub 8

I want to ask is their anyway/operation that I can perform on field E and field F so that they are throwing unique combination value rather a multivalue filed. Prior performing count operation in query Field E and F are unique but after count they become multi value which In later stage again I want to tke them to their prior state.

such that where field A,B,C,D remains same but Field E & F are divided further in rows on basis of unique combination of values of field E & F ( but parent unique combination of A,B,C,D remains same)

ITWhisperer · ‎10-06-2023

Can you provide an example of what that would look like?

ritzz · ‎10-09-2023

something like below where Field A,count,B,C are multivalue existing already calculated fields but additionally Field E and F are divided based on domain ( pre calculation we did in last query) but in domain signifying their unique combination values.

Screenshot 2023-10-09 at 22.01.45.png

ITWhisperer · ‎10-10-2023

Yeah, you can't do that. Each "row" is an event, a stats event. You can't split the event part way through. You would need to create a new event e.g.

would become

ITWhisperer · ‎10-04-2023

| nomv FieldB
| nomv FieldC
| nomv FieldD
| stats count values(*) as * by FieldA
| foreach FieldB FieldC FieldD
    [| eval <<FIELD>>=split(<<FIELD>>,"
")]

ritzz · ‎10-06-2023

Thanks ! your provided answer worked.

Additionally, explaining for others coming here.

| nomv FieldB     —- multivalue command to convert multivalued field to a single value field

| nomv FieldC      

| nomv FieldD

| stats count values(*) as * by FieldA     —to get count of field values

| foreach FieldB FieldC FieldD             

    [| eval <<FIELD>>=split(<<FIELD>>,"

")]. —-  for every MV field converted to singlevalue field , converting them back  to multivalue fields

grouping field data and count

count

fields

stats

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

Are you a member of the Splunk Community?

grouping field data and count

count

fields

stats

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition