Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats count by fieldnames (not field strings)

stephenreece
New Member
‎04-15-2020 01:57 AM

hi all,

bit of a strange one...

The business has put a descriptor of the product as a field name and it would be really useful to stats count by all field names (multiple parent and child categories. I don't really care about the string within the field at this point, i just care that the field appears.

For example

events and field{string} could be:
- name = {testName}
- address = {testAddress}
- address = {testAddress}
- postcode = {testPC}
- name = {testName}
- product = {testProduct}

So my search should produce the following results

eventName statscount
name 2
address 2
postcode 1
product 1

any ideas would be great...

just to add complexity.... there are child categories which goto 3 levels
i.e. product.group.entity = {test entity}

so ideally i'd capture ALL fieldnames in the one search (i will clean it later as long as i can get the logic right.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-15-2020 08:29 AM

You almost had it. Try something like this:

   your base search
   | table data.*
   | rename data.* as *
   | eval junk=1
   | untable junk fieldname fieldvalue
   | stats count by fieldname

View solution in original post

Reply
Solved! Jump to solution

stephenreece
New Member
‎04-15-2020 10:18 PM

fantastic... thanks very much.... i was going to go along the spath route just for quickness but that would mean writing out each variation by hand... this is such an efficient was to searchl.... KUDOS

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-15-2020 08:29 AM

You almost had it. Try something like this:

   your base search
   | table data.*
   | rename data.* as *
   | eval junk=1
   | untable junk fieldname fieldvalue
   | stats count by fieldname
Reply
Solved! Jump to solution

stephenreece
New Member
‎04-15-2020 02:13 AM

hi all... its almost like i need to do a fieldsummary table but only look at counting fields that sit under a parent field of say data.

for example:
data.name
data.address
data.address.postcode
data.product
data.product.group.entity

(i need to count all those fields about by their fieldname

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...