Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

sorting names and couting

daisymedina101
New Member
‎10-12-2019 11:30 PM

Hi, new to Splunk I'm trying to sort out names from my logs files as such

so far I have added a new filed "names" but it just gives me all the names of the logs mixed up as such:

cat_01
mouse10
cat_03
Dog_08
mouse10
Dog_60
mouse40
cat_02
mouse70
Dog_50

I'd like to sort these out as such I'm also using one query to search for these logs and i'd like to have a nice graph with all this info. any help would be appreciated.
cat_01
cat_02
cat_03
total= 3

Dog_08
Dog_50
Dog_60
total=3

mouse10
mouse40
total= 2

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2019 03:44 AM

Hi daisymedina101,
to sort values in a field it's very easy because you can use the sort command (see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort ).
But I think that you're asking something more.

If I correctly understood, you want to group your values and count the different values for each group, is it correct?

If this is your need, you should find a rule to classify your data (e.g. the string before underscore).
In this case you can use eval command to assign a category to them, something like this:

index=my_index
| rex field=my_field "^(?<category>\w*)_"
| eval category=if(isnull(category),"Others",category)
| stats values(my_field) AS my_field dc(my_field) AS total BY category

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2019 03:44 AM

Hi daisymedina101,
to sort values in a field it's very easy because you can use the sort command (see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort ).
But I think that you're asking something more.

If I correctly understood, you want to group your values and count the different values for each group, is it correct?

If this is your need, you should find a rule to classify your data (e.g. the string before underscore).
In this case you can use eval command to assign a category to them, something like this:

index=my_index
| rex field=my_field "^(?<category>\w*)_"
| eval category=if(isnull(category),"Others",category)
| stats values(my_field) AS my_field dc(my_field) AS total BY category

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

daisymedina101
New Member
‎10-13-2019 03:33 PM

Giuseppe,

Awesome this worked!! thanks for this help!!

0 Karma
Reply
Solved! Jump to solution

daisymedina101
New Member
‎10-17-2019 04:04 PM

If I wanted to do a simple Count the total by just one category would I use

stats count as Total

Example: field1 gives me these values in GB
450
685
562
total:

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...