Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group calculated unique values by another field without using a subsearch?

vitorvmiguel
Explorer
‎06-08-2015 07:47 AM

Hi folks,

I have a problem. I've done a search displayed below and I'm filtering some types of products (produto). After this, I'm counting Unique Clients (Clientes) and which of these Unique Clients had an error message (Clientes_Impactados). I want to make inside this counting another counting grouping by transaction (programa), and i'm wondering if there is a way of doing that without append or appendcols, to keep the search light.

index="raw_internet" produto="1" OR produto="L" OR produto="2" OR produto="W"  | eval Erros=if(match(tipo,"E"),1,0) | stats sum(Erros) AS ClientesErros by codigoAcesso | stats count AS Clientes, count(eval(ClientesErros>0)) AS Clientes_Impactados |

I hope someone can help me.
Tks

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-09-2015 12:27 AM

Generally in this situation the answer involves switching out a stats clause for an "eventstats" clause. Sometimes in related cases, switching out a stats for a streamstats. Often with some funky evals.

eventstats count sum(foo) by bar basically does the same work as stats count sum(foo) by bar, except that it neglects to also transform, ie group the rows, into the unique values of 'bar'. So instead eventstats gives back the same rows that went into it, just with "count" and "sum(foo)" fields added as appropriate.

I don't know the exact requirements of your programa grouping, but here is a guess as to the sort of thing you're looking for. 

index="raw_internet" produto="1" OR produto="L" OR produto="2" OR produto="W"  
| eval Erros=if(match(tipo,"E"),1,0) 
| eventstats sum(Erros) as ClientesErros by codigoAcesso 
| eval impacted_client_name=if(ClientesErros>1,codigoAcesso,null()) 
| streamstats dc(impacted_client_name) as Clientes_Impactados 
| eventstats sum(Erros) as programaErros by programa 
| eval impacted_transactions=if(programaErros>1,programa,null())
| streamstats dc(impacted_transactions) as Programas_Impactados
| stats dc(codigoAcesso) as Clientes, max(Clientes_Impactados) as Clientes_Impactados max(Programas_Impactados) as Programas_Impactados

Here what I'm doing is a little tricky. For both clients and transactions, I'm using eventstats to do the work instead of stats. But then since we don't have transformed rows, we have to be a little clever in getting our Clientes_Impactados. We can't just count the rows anymore. So instead I create a new field that is equal to the client name only if the client has some errors. then I use a streamstats to count the distinct values of that field seen, then at the end we can take the max() of that number. Someone else might find a simpler way this at least illustrates the way of thinking. eventstats/streamstats and eval can often dance around this issue, so you can "group" without grouping and thus effectively group several different contradictory ways simultaneously.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-09-2015 12:27 AM

Generally in this situation the answer involves switching out a stats clause for an "eventstats" clause. Sometimes in related cases, switching out a stats for a streamstats. Often with some funky evals.

eventstats count sum(foo) by bar basically does the same work as stats count sum(foo) by bar, except that it neglects to also transform, ie group the rows, into the unique values of 'bar'. So instead eventstats gives back the same rows that went into it, just with "count" and "sum(foo)" fields added as appropriate.

I don't know the exact requirements of your programa grouping, but here is a guess as to the sort of thing you're looking for. 

index="raw_internet" produto="1" OR produto="L" OR produto="2" OR produto="W"  
| eval Erros=if(match(tipo,"E"),1,0) 
| eventstats sum(Erros) as ClientesErros by codigoAcesso 
| eval impacted_client_name=if(ClientesErros>1,codigoAcesso,null()) 
| streamstats dc(impacted_client_name) as Clientes_Impactados 
| eventstats sum(Erros) as programaErros by programa 
| eval impacted_transactions=if(programaErros>1,programa,null())
| streamstats dc(impacted_transactions) as Programas_Impactados
| stats dc(codigoAcesso) as Clientes, max(Clientes_Impactados) as Clientes_Impactados max(Programas_Impactados) as Programas_Impactados

Here what I'm doing is a little tricky. For both clients and transactions, I'm using eventstats to do the work instead of stats. But then since we don't have transformed rows, we have to be a little clever in getting our Clientes_Impactados. We can't just count the rows anymore. So instead I create a new field that is equal to the client name only if the client has some errors. then I use a streamstats to count the distinct values of that field seen, then at the end we can take the max() of that number. Someone else might find a simpler way this at least illustrates the way of thinking. eventstats/streamstats and eval can often dance around this issue, so you can "group" without grouping and thus effectively group several different contradictory ways simultaneously.

Reply
Solved! Jump to solution

vitorvmiguel
Explorer
‎06-09-2015 05:23 AM

Thank you for the detailed explanation.

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎06-08-2015 08:49 AM

Hi vitorvmiguel
Instead of append or appendcols command you can use multisearch command
Like below

     | multisearch [search index="raw_internet" produto="1" OR produto="L" OR produto="2" OR produto="W" |stats count AS Clientes] [search index="raw_internet" produto="1" OR produto="L" OR produto="2" OR produto="W" | eval Erros=if(match(tipo,"E"),1,0) | stats sum(Erros) AS ClientesErros by codigoAcesso | count(eval(ClientesErros>0)) AS Clientes_Impactados]
0 Karma
Reply
Solved! Jump to solution

vitorvmiguel
Explorer
‎06-08-2015 09:59 AM

Thank you for your answer chimell but, thats not what i'm looking for, i'm trying to avoid the subsearches. I was wondering if it's possible in the same stats count to count different things and return different results.

rgs

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...