Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I group similar values in fields throughout all events together?

thisissplunk
Builder
‎05-05-2014 05:57 AM

From a human standpoint, we realize that there are effectively two groups of data here in the "Serial" field. One starting with "1", and one starting with "9":

  • Serial=123456789
  • Serial=123456788
  • Serial=123456787
  • Serial=987654321
  • Serial=987654322
  • Serial=987654323

How do I leverage Splunk to spit out all of the values in the groups we know exist, organized together and displayed in front of me? I have over 6,000 unique "Serial" values probably making around 15 "groups", but I can't figure out how to get the data organized how I want.

I thought cluster command would work but it doesn't seem to display every unique value in the group, only the top hitter. Correct me if I'm wrong.

  • index=stuff Serial="*" | cluster t=0.35 field=Serial | stats values(Serial) by cluster_label

Any ideas welcome.

0 Karma
Reply

somesoni2
Revered Legend
‎05-05-2014 06:05 AM

How about this

index=stuff Serial="*" | stats count by Serial | eval Group=substr(Serial,1,5) | stats values(Serial) by Group
Reply

thisissplunk
Builder
‎05-08-2014 08:38 AM

The rhyme or reason as to why serial is created with certain patterns is unknown to us, but we want to figure it out. We are working backwards here.

0 Karma
Reply

thisissplunk
Builder
‎05-07-2014 01:24 PM

So the problem is that is impossible, and why I want to use the cluster command if possible. I need fancy math to relate things together for me.

0 Karma
Reply

somesoni2
Revered Legend
‎05-05-2014 07:26 AM

You would have to define the pattern using which you can group Serials. Based on your fixed pattern you change the query.

0 Karma
Reply

thisissplunk
Builder
‎05-05-2014 06:12 AM

Ah thank you. I realize I left out a crucial part of the data set the makes a specific grouping impossible though. This is a more realistic set:

  • Serial=102312-6789
  • Serial=102315-6389
  • Serial=102322-6787
  • Serial=028765-4321
  • Serial=328765-4331
  • Serial=918765-4391
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...