Solved: stats usage to display output as follows

rakesh_498115 · ‎06-25-2012

I have a table like this ..

Table 1 : Information to be searched

**Company A | Company B

abc xyz
lmn pqr
def pgf**

Where the values mentioned inside the table are searchparameters . Now i need the count of the search parameters in splunk like this ..

Table 2: Output
Company A | Count A | Company B | Count B
abc 30 xyz 10
lmn 40 pqr 23

def 50 pgf 29

my sourcetype is "A".

sourcetype="A" abc | stats count as Count A

has given abc count..I need count for all the values in A and B mentioned in Table 1 as in Table 2.i.e Table 2 should be the output for my search results...How do i accomplish this..please help..

alacercogitatus · ‎11-14-2012

While yannK has provided a "quick and dirty", (and I borrowed portions of his answer), I think this may be closer to what you want because of the need to count by the value of companyA and companyB. This is by no means optimized, but outputs a table as seen below the search.

sourcetyp="A" NOT "companyA" NOT "-------" | rex field=_raw "^(?<companyA>[^\s]+)(?<companyB>.*)$"|stats count(companyA) by companyA | appendcols [search sourcetyp="A" NOT "companyA" NOT "-------" | rex field=_raw "^(?<companyA>[^\s]+)(?<companyB>.*)$"|stats count(companyB) by companyB]

My Results Table

companyA count(companyA) companyB count(companyB) abc 3 pgf 2 def 2 pqr 3 lmn 2 xyz 2

My Sample Data

Company A | Company B abc xyz lmn pqr def pgf abc pqr

View solution in original post

jerrythomasnyk · ‎10-16-2015

Hello, I have browsed most of your posts. This post is probably where I got the most useful information for my research. Thanks for posting, maybe we can see more on this. Are you aware of any other websites on this subject. Kartikeya Sharma & Robert Vadra

alacercogitatus · ‎11-14-2012

While yannK has provided a "quick and dirty", (and I borrowed portions of his answer), I think this may be closer to what you want because of the need to count by the value of companyA and companyB. This is by no means optimized, but outputs a table as seen below the search.

sourcetyp="A" NOT "companyA" NOT "-------" | rex field=_raw "^(?<companyA>[^\s]+)(?<companyB>.*)$"|stats count(companyA) by companyA | appendcols [search sourcetyp="A" NOT "companyA" NOT "-------" | rex field=_raw "^(?<companyA>[^\s]+)(?<companyB>.*)$"|stats count(companyB) by companyB]

My Results Table

companyA count(companyA) companyB count(companyB) abc 3 pgf 2 def 2 pqr 3 lmn 2 xyz 2

My Sample Data

Company A | Company B abc xyz lmn pqr def pgf abc pqr

yannK · ‎11-15-2012

nice complete answer.

yannK · ‎11-13-2012

Quick and dirty answer for the bounty reward. " dead or alive"

sourcetype="A" NOT "companyA" NOT "------" | rex "^(?<companyA>[^\s]*) (?<companyB>\w+)$" | stats dc(companyA) count(companyA) dc(companyB) count(companyB)

alacercogitatus · ‎11-15-2012

I only have my answer because of you answer 😄

piebob · ‎11-13-2012

hi! i will award a 50 karma bounty to the first person to provide a good/correct answer to this question!

rakesh_498115 · ‎06-29-2012

the raw contains these terms abc ,xyz, lmn, pqr, def pgf . where abc lmn def belong to company A and xyz pqr def belong to company B. Now i need to know the count of these searchs like the table showed above...

Ayn · ‎06-25-2012

Explain the table more clearly. Is the table itself one single event in the input? How exactly does the raw data that you're operating on look like?

stats usage to display output as follows

**Company A | Company B

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!