Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sorting names and couting

daisymedina101
New Member
‎10-12-2019 11:30 PM

Hi, new to Splunk I'm trying to sort out names from my logs files as such

so far I have added a new filed "names" but it just gives me all the names of the logs mixed up as such:

cat_01
mouse10
cat_03
Dog_08
mouse10
Dog_60
mouse40
cat_02
mouse70
Dog_50

I'd like to sort these out as such I'm also using one query to search for these logs and i'd like to have a nice graph with all this info. any help would be appreciated.
cat_01
cat_02
cat_03
total= 3

Dog_08
Dog_50
Dog_60
total=3

mouse10
mouse40
total= 2

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2019 03:44 AM

Hi daisymedina101,
to sort values in a field it's very easy because you can use the sort command (see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort ).
But I think that you're asking something more.

If I correctly understood, you want to group your values and count the different values for each group, is it correct?

If this is your need, you should find a rule to classify your data (e.g. the string before underscore).
In this case you can use eval command to assign a category to them, something like this:

index=my_index
| rex field=my_field "^(?<category>\w*)_"
| eval category=if(isnull(category),"Others",category)
| stats values(my_field) AS my_field dc(my_field) AS total BY category

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2019 03:44 AM

Hi daisymedina101,
to sort values in a field it's very easy because you can use the sort command (see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort ).
But I think that you're asking something more.

If I correctly understood, you want to group your values and count the different values for each group, is it correct?

If this is your need, you should find a rule to classify your data (e.g. the string before underscore).
In this case you can use eval command to assign a category to them, something like this:

index=my_index
| rex field=my_field "^(?<category>\w*)_"
| eval category=if(isnull(category),"Others",category)
| stats values(my_field) AS my_field dc(my_field) AS total BY category

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

daisymedina101
New Member
‎10-13-2019 03:33 PM

Giuseppe,

Awesome this worked!! thanks for this help!!

0 Karma
Reply
Solved! Jump to solution

daisymedina101
New Member
‎10-17-2019 04:04 PM

If I wanted to do a simple Count the total by just one category would I use

stats count as Total

Example: field1 gives me these values in GB
450
685
562
total:

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...