Solved: grouping similar field values

atreece · ‎07-03-2012

I have a set of events that are generated with locations in the form of xloc and yloc. (z, or height, is irrelevant) I am trying to find events that happen in the same place, but I want to group any events that happen in the same area, say 5 meters. (+-5)
Is there a way to do this in splunk?

Ayn · ‎07-03-2012

You could probably use bucket for this. bucket puts continuous numerical values into discrete sets, so you could group together all xloc/yloc points within the same general area. Using this, if you'd want to get a count of the events within a certain range, you could do something like:

... | bucket xloc span=10 | bucket yloc span=10 | stats count by xloc,yloc

More information on the bucket command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bucket

View solution in original post

Ayn · ‎07-03-2012

You could probably use bucket for this. bucket puts continuous numerical values into discrete sets, so you could group together all xloc/yloc points within the same general area. Using this, if you'd want to get a count of the events within a certain range, you could do something like:

... | bucket xloc span=10 | bucket yloc span=10 | stats count by xloc,yloc

More information on the bucket command: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bucket

grouping similar field values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation