Splunk Search

stats count by fieldnames (not field strings)

stephenreece
New Member

hi all,

bit of a strange one...

The business has put a descriptor of the product as a field name and it would be really useful to stats count by all field names (multiple parent and child categories. I don't really care about the string within the field at this point, i just care that the field appears.

For example

events and field{string} could be:
- name = {testName}
- address = {testAddress}
- address = {testAddress}
- postcode = {testPC}
- name = {testName}
- product = {testProduct}

So my search should produce the following results

eventName statscount
name 2
address 2
postcode 1
product 1

any ideas would be great...

just to add complexity.... there are child categories which goto 3 levels
i.e. product.group.entity = {test entity}

so ideally i'd capture ALL fieldnames in the one search (i will clean it later as long as i can get the logic right.

0 Karma
1 Solution

DalJeanis
Legend

You almost had it. Try something like this:

   your base search
   | table data.*
   | rename data.* as *
   | eval junk=1
   | untable junk fieldname fieldvalue
   | stats count by fieldname

View solution in original post

stephenreece
New Member

fantastic... thanks very much.... i was going to go along the spath route just for quickness but that would mean writing out each variation by hand... this is such an efficient was to searchl.... KUDOS

0 Karma

DalJeanis
Legend

You almost had it. Try something like this:

   your base search
   | table data.*
   | rename data.* as *
   | eval junk=1
   | untable junk fieldname fieldvalue
   | stats count by fieldname

stephenreece
New Member

hi all... its almost like i need to do a fieldsummary table but only look at counting fields that sit under a parent field of say data.

for example:
data.name
data.address
data.address.postcode
data.product
data.product.group.entity

(i need to count all those fields about by their fieldname

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...