- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How do I group similar values in fields throughout...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I group similar values in fields throughout all events together?
From a human standpoint, we realize that there are effectively two groups of data here in the "Serial" field. One starting with "1", and one starting with "9":
- Serial=123456789
- Serial=123456788
- Serial=123456787
- Serial=987654321
- Serial=987654322
- Serial=987654323
How do I leverage Splunk to spit out all of the values in the groups we know exist, organized together and displayed in front of me? I have over 6,000 unique "Serial" values probably making around 15 "groups", but I can't figure out how to get the data organized how I want.
I thought cluster command would work but it doesn't seem to display every unique value in the group, only the top hitter. Correct me if I'm wrong.
- index=stuff Serial="*" | cluster t=0.35 field=Serial | stats values(Serial) by cluster_label
Any ideas welcome.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
index=stuff Serial="*" | stats count by Serial | eval Group=substr(Serial,1,5) | stats values(Serial) by Group
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The rhyme or reason as to why serial is created with certain patterns is unknown to us, but we want to figure it out. We are working backwards here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the problem is that is impossible, and why I want to use the cluster command if possible. I need fancy math to relate things together for me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would have to define the pattern using which you can group Serials. Based on your fixed pattern you change the query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah thank you. I realize I left out a crucial part of the data set the makes a specific grouping impossible though. This is a more realistic set:
- Serial=102312-6789
- Serial=102315-6389
- Serial=102322-6787
- Serial=028765-4321
- Serial=328765-4331
- Serial=918765-4391
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
