Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sorting names and couting

daisymedina101
New Member
‎10-12-2019 11:30 PM

Hi, new to Splunk I'm trying to sort out names from my logs files as such

so far I have added a new filed "names" but it just gives me all the names of the logs mixed up as such:

cat_01
mouse10
cat_03
Dog_08
mouse10
Dog_60
mouse40
cat_02
mouse70
Dog_50

I'd like to sort these out as such I'm also using one query to search for these logs and i'd like to have a nice graph with all this info. any help would be appreciated.
cat_01
cat_02
cat_03
total= 3

Dog_08
Dog_50
Dog_60
total=3

mouse10
mouse40
total= 2

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2019 03:44 AM

Hi daisymedina101,
to sort values in a field it's very easy because you can use the sort command (see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort ).
But I think that you're asking something more.

If I correctly understood, you want to group your values and count the different values for each group, is it correct?

If this is your need, you should find a rule to classify your data (e.g. the string before underscore).
In this case you can use eval command to assign a category to them, something like this:

index=my_index
| rex field=my_field "^(?<category>\w*)_"
| eval category=if(isnull(category),"Others",category)
| stats values(my_field) AS my_field dc(my_field) AS total BY category

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2019 03:44 AM

Hi daisymedina101,
to sort values in a field it's very easy because you can use the sort command (see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort ).
But I think that you're asking something more.

If I correctly understood, you want to group your values and count the different values for each group, is it correct?

If this is your need, you should find a rule to classify your data (e.g. the string before underscore).
In this case you can use eval command to assign a category to them, something like this:

index=my_index
| rex field=my_field "^(?<category>\w*)_"
| eval category=if(isnull(category),"Others",category)
| stats values(my_field) AS my_field dc(my_field) AS total BY category

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

daisymedina101
New Member
‎10-13-2019 03:33 PM

Giuseppe,

Awesome this worked!! thanks for this help!!

0 Karma
Reply
Solved! Jump to solution

daisymedina101
New Member
‎10-17-2019 04:04 PM

If I wanted to do a simple Count the total by just one category would I use

stats count as Total

Example: field1 gives me these values in GB
450
685
562
total:

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...