grouping field data and count

ritzz · ‎10-04-2023

I have data like provided below:

field A

Field B

Field C

Field D

abc.com

1

AB

CD

1

xyz.com

2

AB

CD

1

abc.com

1

AB

CD

1

xyz.com

2

AB

CD

1

def.com

1

AB

CD

0

I want to group Field A values such that all abc.com value come in 1 row with associated count.

I want output like

field A	count	Field B	Field C	Field D
abc.com	2	1 1	AB CD	1 1
xyz.com	2	2 2	AB CD	1 1
def.com	1	1	AB CD	0

if I take path of stats count then it split field C and D which I don't want, I want them to be uniquely compared as a group value. looking for suggestions. Thanks in advance.

ritzz · ‎10-06-2023

after performing the query

base search |  nomv FieldB | nomv FieldC|  nomv FieldD | stats count values(*) as * by FieldA | foreach FieldB,FieldC FieldD [| eval <<FIELD>>=split(<<FIELD>>,"")]

my result table is like below

field A	count	Field c	Field D	Field E	Field F
abc.com	2	a b	A B	abc.com bcf.com def.com	sub1 sub 2 sub 3
def.com	4	A B	A B	bcc.com xyz.com	sub 5 sub 6 sub 6
efg.com	6	B A	A B	jhg.com abc.com ghj.com	sub 4 sub 7 sub 8

I want to ask is their anyway/operation that I can perform on field E and field F so that they are throwing unique combination value rather a multivalue filed. Prior performing count operation in query Field E and F are unique but after count they become multi value which In later stage again I want to tke them to their prior state.

such that where field A,B,C,D remains same but Field E & F are divided further in rows on basis of unique combination of values of field E & F ( but parent unique combination of A,B,C,D remains same)

ITWhisperer · ‎10-06-2023

Can you provide an example of what that would look like?

ritzz · ‎10-09-2023

something like below where Field A,count,B,C are multivalue existing already calculated fields but additionally Field E and F are divided based on domain ( pre calculation we did in last query) but in domain signifying their unique combination values.

ITWhisperer · ‎10-10-2023

Yeah, you can't do that. Each "row" is an event, a stats event. You can't split the event part way through. You would need to create a new event e.g.

would become

ITWhisperer · ‎10-04-2023

| nomv FieldB
| nomv FieldC
| nomv FieldD
| stats count values(*) as * by FieldA
| foreach FieldB FieldC FieldD
    [| eval <<FIELD>>=split(<<FIELD>>,"
")]

ritzz · ‎10-06-2023

Thanks ! your provided answer worked.

Additionally, explaining for others coming here.

| nomv FieldB     —- multivalue command to convert multivalued field to a single value field

| nomv FieldC      

| nomv FieldD

| stats count values(*) as * by FieldA     —to get count of field values

| foreach FieldB FieldC FieldD             

    [| eval <<FIELD>>=split(<<FIELD>>,"

")]. —-  for every MV field converted to singlevalue field , converting them back  to multivalue fields

grouping field data and count

count

fields

stats

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...