×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Justin49
Loves-to-Learn
Member since: ‎10-07-2021
‎10-07-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-07-2021
Activity Feed
View All

Re: Group many similar fields from datamodel

by in Splunk Search
‎10-07-2021 12:06 PM
‎10-07-2021 12:06 PM
Hello Mr.Rick and thank you for the prompt response. To clarify (and thank you for pointing this out). I have a field called fieldName, that contains values {ab, ab-HE, ab-XO...} etc. and I am looking to group the cost of these like records by similar fieldName's. And correct, I am not trying to find a letter a followed by 0-infinity b's. I am looking for the letters 'ab' followed by 0-inifinity anythings (most likely a dash followed by 2 letters XD, but also potentially not followed by anything at all). That being said, I did come accross a substr function that I was trying to get to work as well,but I'm only getting NULL. The intent would be to only consider the first 2 characters of the fieldName field and group by that, which should get me the results I am looking for. | from datamodel:"AUDIT.COST_RECORDS" | eval temp=substr(fieldName,1,2) | timechart span=30d sum(cost) as Cost by temp ... View more

Group many similar fields from datamodel

by in Splunk Search
‎10-07-2021 10:09 AM
‎10-07-2021 10:09 AM
Hello All, I have a large dataset "audit.cost_records" wherein I am trying to locate a correlation based on a large number of fields. These fields are large in number (over 1000 total) and many can be grouped (for my current purposes). Some groups may consist of 10+ fields while others may be only 1. Some example field names are: ab, ab-HE, ab-SC, ab-LS, rs, rs-SH, rz, xr, xr-FL, xr-SH, xr-SS in this example, all of the ab items should be grouped, as with rs, and xr.  Unfortunately, I am new to splunk and my understanding of the splunk language is elementary at best. I do have somewhat advanced or at least jorneyman knowledge in SQL and basic in a few programming languages (Java and the like). Unfortunately that doesn't seem to be helping me here. Based on several hours of searching this community and trial and error I have arrived at the below. I was trying to use wildcards to group by similar field names. I've just read somewhere that Splunk may segment the field based on the '-' character, which makes my wildcard not work as I intend. | from datamodel:"AUDIT.COST_RECORDS" | eval Group1=if(match(fieldName,"ab*"), "ABGroup", Group1) | eval Group1=if(match(fieldnName,"rs*"),"RSGroup",Group1) | timechart span=30d sum(cost) as Cost by Group1 Does anyone have any recommendations on how to solve this search? My overall intent is to have a year-to-date line chart (spanned monthly) showing cost over time for each "Group". ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-07-2021 01:32 PM