Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sorting names and couting

daisymedina101
New Member
‎10-12-2019 11:30 PM

Hi, new to Splunk I'm trying to sort out names from my logs files as such

so far I have added a new filed "names" but it just gives me all the names of the logs mixed up as such:

cat_01
mouse10
cat_03
Dog_08
mouse10
Dog_60
mouse40
cat_02
mouse70
Dog_50

I'd like to sort these out as such I'm also using one query to search for these logs and i'd like to have a nice graph with all this info. any help would be appreciated.
cat_01
cat_02
cat_03
total= 3

Dog_08
Dog_50
Dog_60
total=3

mouse10
mouse40
total= 2

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2019 03:44 AM

Hi daisymedina101,
to sort values in a field it's very easy because you can use the sort command (see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort ).
But I think that you're asking something more.

If I correctly understood, you want to group your values and count the different values for each group, is it correct?

If this is your need, you should find a rule to classify your data (e.g. the string before underscore).
In this case you can use eval command to assign a category to them, something like this:

index=my_index
| rex field=my_field "^(?<category>\w*)_"
| eval category=if(isnull(category),"Others",category)
| stats values(my_field) AS my_field dc(my_field) AS total BY category

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2019 03:44 AM

Hi daisymedina101,
to sort values in a field it's very easy because you can use the sort command (see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort ).
But I think that you're asking something more.

If I correctly understood, you want to group your values and count the different values for each group, is it correct?

If this is your need, you should find a rule to classify your data (e.g. the string before underscore).
In this case you can use eval command to assign a category to them, something like this:

index=my_index
| rex field=my_field "^(?<category>\w*)_"
| eval category=if(isnull(category),"Others",category)
| stats values(my_field) AS my_field dc(my_field) AS total BY category

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

daisymedina101
New Member
‎10-13-2019 03:33 PM

Giuseppe,

Awesome this worked!! thanks for this help!!

0 Karma
Reply
Solved! Jump to solution

daisymedina101
New Member
‎10-17-2019 04:04 PM

If I wanted to do a simple Count the total by just one category would I use

stats count as Total

Example: field1 gives me these values in GB
450
685
562
total:

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...