Re: grouping field data and count

ritzz · ‎10-04-2023

I have data like provided below:

field A

Field B

Field C

Field D

abc.com

1

AB

CD

1

xyz.com

2

AB

CD

1

abc.com

1

AB

CD

1

xyz.com

2

AB

CD

1

def.com

1

AB

CD

0

I want to group Field A values such that all abc.com value come in 1 row with associated count.

I want output like

field A	count	Field B	Field C	Field D
abc.com	2	1 1	AB CD	1 1
xyz.com	2	2 2	AB CD	1 1
def.com	1	1	AB CD	0

if I take path of stats count then it split field C and D which I don't want, I want them to be uniquely compared as a group value. looking for suggestions. Thanks in advance.

ritzz · ‎10-06-2023

after performing the query

base search |  nomv FieldB | nomv FieldC|  nomv FieldD | stats count values(*) as * by FieldA | foreach FieldB,FieldC FieldD [| eval <<FIELD>>=split(<<FIELD>>,"")]

my result table is like below

field A	count	Field c	Field D	Field E	Field F
abc.com	2	a b	A B	abc.com bcf.com def.com	sub1 sub 2 sub 3
def.com	4	A B	A B	bcc.com xyz.com	sub 5 sub 6 sub 6
efg.com	6	B A	A B	jhg.com abc.com ghj.com	sub 4 sub 7 sub 8

I want to ask is their anyway/operation that I can perform on field E and field F so that they are throwing unique combination value rather a multivalue filed. Prior performing count operation in query Field E and F are unique but after count they become multi value which In later stage again I want to tke them to their prior state.

such that where field A,B,C,D remains same but Field E & F are divided further in rows on basis of unique combination of values of field E & F ( but parent unique combination of A,B,C,D remains same)

ITWhisperer · ‎10-06-2023

Can you provide an example of what that would look like?

ritzz · ‎10-09-2023

something like below where Field A,count,B,C are multivalue existing already calculated fields but additionally Field E and F are divided based on domain ( pre calculation we did in last query) but in domain signifying their unique combination values.

ITWhisperer · ‎10-10-2023

Yeah, you can't do that. Each "row" is an event, a stats event. You can't split the event part way through. You would need to create a new event e.g.

would become

ITWhisperer · ‎10-04-2023

| nomv FieldB
| nomv FieldC
| nomv FieldD
| stats count values(*) as * by FieldA
| foreach FieldB FieldC FieldD
    [| eval <<FIELD>>=split(<<FIELD>>,"
")]

ritzz · ‎10-06-2023

Thanks ! your provided answer worked.

Additionally, explaining for others coming here.

| nomv FieldB     —- multivalue command to convert multivalued field to a single value field

| nomv FieldC      

| nomv FieldD

| stats count values(*) as * by FieldA     —to get count of field values

| foreach FieldB FieldC FieldD             

    [| eval <<FIELD>>=split(<<FIELD>>,"

")]. —-  for every MV field converted to singlevalue field , converting them back  to multivalue fields

grouping field data and count

count

fields

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation