Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats count by fieldnames (not field strings)

stephenreece
New Member
‎04-15-2020 01:57 AM

hi all,

bit of a strange one...

The business has put a descriptor of the product as a field name and it would be really useful to stats count by all field names (multiple parent and child categories. I don't really care about the string within the field at this point, i just care that the field appears.

For example

events and field{string} could be:
- name = {testName}
- address = {testAddress}
- address = {testAddress}
- postcode = {testPC}
- name = {testName}
- product = {testProduct}

So my search should produce the following results

eventName statscount
name 2
address 2
postcode 1
product 1

any ideas would be great...

just to add complexity.... there are child categories which goto 3 levels
i.e. product.group.entity = {test entity}

so ideally i'd capture ALL fieldnames in the one search (i will clean it later as long as i can get the logic right.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-15-2020 08:29 AM

You almost had it. Try something like this:

   your base search
   | table data.*
   | rename data.* as *
   | eval junk=1
   | untable junk fieldname fieldvalue
   | stats count by fieldname

View solution in original post

Reply
Solved! Jump to solution

stephenreece
New Member
‎04-15-2020 10:18 PM

fantastic... thanks very much.... i was going to go along the spath route just for quickness but that would mean writing out each variation by hand... this is such an efficient was to searchl.... KUDOS

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-15-2020 08:29 AM

You almost had it. Try something like this:

   your base search
   | table data.*
   | rename data.* as *
   | eval junk=1
   | untable junk fieldname fieldvalue
   | stats count by fieldname
Reply
Solved! Jump to solution

stephenreece
New Member
‎04-15-2020 02:13 AM

hi all... its almost like i need to do a fieldsummary table but only look at counting fields that sit under a parent field of say data.

for example:
data.name
data.address
data.address.postcode
data.product
data.product.group.entity

(i need to count all those fields about by their fieldname

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...