Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sorting names and couting

daisymedina101
New Member
‎10-12-2019 11:30 PM

Hi, new to Splunk I'm trying to sort out names from my logs files as such

so far I have added a new filed "names" but it just gives me all the names of the logs mixed up as such:

cat_01
mouse10
cat_03
Dog_08
mouse10
Dog_60
mouse40
cat_02
mouse70
Dog_50

I'd like to sort these out as such I'm also using one query to search for these logs and i'd like to have a nice graph with all this info. any help would be appreciated.
cat_01
cat_02
cat_03
total= 3

Dog_08
Dog_50
Dog_60
total=3

mouse10
mouse40
total= 2

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2019 03:44 AM

Hi daisymedina101,
to sort values in a field it's very easy because you can use the sort command (see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort ).
But I think that you're asking something more.

If I correctly understood, you want to group your values and count the different values for each group, is it correct?

If this is your need, you should find a rule to classify your data (e.g. the string before underscore).
In this case you can use eval command to assign a category to them, something like this:

index=my_index
| rex field=my_field "^(?<category>\w*)_"
| eval category=if(isnull(category),"Others",category)
| stats values(my_field) AS my_field dc(my_field) AS total BY category

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2019 03:44 AM

Hi daisymedina101,
to sort values in a field it's very easy because you can use the sort command (see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort ).
But I think that you're asking something more.

If I correctly understood, you want to group your values and count the different values for each group, is it correct?

If this is your need, you should find a rule to classify your data (e.g. the string before underscore).
In this case you can use eval command to assign a category to them, something like this:

index=my_index
| rex field=my_field "^(?<category>\w*)_"
| eval category=if(isnull(category),"Others",category)
| stats values(my_field) AS my_field dc(my_field) AS total BY category

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

daisymedina101
New Member
‎10-13-2019 03:33 PM

Giuseppe,

Awesome this worked!! thanks for this help!!

0 Karma
Reply
Solved! Jump to solution

daisymedina101
New Member
‎10-17-2019 04:04 PM

If I wanted to do a simple Count the total by just one category would I use

stats count as Total

Example: field1 gives me these values in GB
450
685
562
total:

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...