Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to group by two or many fields fields?

sshubh
Explorer
‎03-14-2023 10:22 AM

Hi,

Here is my Data in 2 logs having 3 fields

Log1 : 

AccountName books bought bookName
ABC 4 book1, book2, book3, book1
DEF 3 book1, book2, book2
MNO 1 book3

 

Log 2 :

AccountName books sold bookName
ABC 1 book3
DEF 2 book2, book2
MNO 1 book3

 

 

Result I want :

AccountName Total Books bookName bought sold
ABC 4 book1
book2
book3		 2
1
1		 0
0
1
DEF 3 book1
book2		 1
2		 0
2
MNO 1 book3 1 1
         

 

Can anyone please help me in this. 

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2023 11:10 AM 
| eval bookName=split(bookName,", ")
| eval bought_sold=if(isnotnull("books bought"),"bought","sold")
| stats count by AccountName bookName bought_sold
| eval {bought_sold}=count
| fields - bought_sold count
| stats sum(*) as * by AccountName bookName
| fillnull value=0
| stats list(*) as * by AccountName
Reply

sshubh
Explorer
‎03-20-2023 11:55 PM

Hi, I tried following :

index="test" "Books bought" | rex field=_raw "Books\sbought\sAccountName=(?P<accountName>[^,]*),\sBooks=\[(?P<books>[^\]]*)]" | join type=left accountName
[search index="test" "Books Sold" | rex field=_raw "Books\sSold\sAccountName=(?P<accountName>[^,]*),\sBook=(?P<book>.*)"] | eval bookUsed = split(books, ",") | stats count as bought count(book) as sold by accountName bookUsed

I get following result:

accountNamebookUsedboughtsold
ABCBook121
ABCBook211
DEFBook13 1

 

Now, here the issue is I am getting multiple rows for same accountName but I want only one row for accountName like:

accountNamebookUsedboughtsold
ABCBook1
Book2		2
1		1
1
DEFBook13 1
    

 

Anyone please help. I want to learn and apologies for tagging explicitly.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-21-2023 12:04 AM

To convert your table to the format you want, use the list aggregator function

| stats list(*) as * by accountName
Reply

sshubh
Explorer
‎04-26-2023 09:35 AM

Thanks for the taking out time and helping. 

| stats list(*) as * by accountName

 worked out. and i got the following result

accountNamebookUsedboughtsold
ABCBook1
Book2		2
1		1
1
DEFBook13 1

 

 

 

I used below query

index="test" "Books bought" | rex field=_raw "Books\sbought\sAccountName=(?P<accountName>[^,]*),\sBooks=\[(?P<books>[^\]]*)]" | join type=left accountName
[search index="test" "Books Sold" | rex field=_raw "Books\sSold\sAccountName=(?P<accountName>[^,]*),\sBook=(?P<book>.*)"] | eval bookUsed = split(books, ",") | stats count as bought count(book) as sold by accountName bookUsed | stats list(*) as * by accountName

Now, I want to add one more column (total Bought) that contains sum of column bought to get following result:

accountNamebookUsedTotal Boughtboughtsold
ABCBook1
Book2		32
1		1
1
DEFBook133 1

 

Can anyone suggest how I can get this. I tried but not able to get the intended result. Thanks in advance.

0 Karma
Reply

sshubh
Explorer
‎04-26-2023 09:57 AM

I used following and it worked.

| stats sum(Bought) as "Total Bought" list(*) as * by accountName
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...