List of properties aggregated by event

turkamit · ‎12-05-2013

Hi there,
I am new to Splunk.
I have data with the following structure, where each entry has an event name and a variable list of properties associated with that event:

{event=eventA, properties={propertyName1=123, propertyName2=abc}}

{event=eventA, properties={propertyName1=456, propertyName2=def}}

{event=eventB, properties={propertyName3=789}}

{event=eventC, properties={propertyName4=AAA, propertyName5=BBB}}

Events of type eventA will always have the same number and names of properties, which are different from the names and number of properties that other types of events have.

I want to ignore the values themselves, and create a search that results in a table that summarizes the properties that each event type has:

eventA     propertyName1, propertyName2

eventB     propertyName

eventC     propertyName4, propertyName5

How can I do that?

lukejadamec · ‎12-05-2013

You can't list the field names in a table other than as a header. The body of the table is for values, like counts.

However, you could create a table with the header:

event propertyName1 propertyName2 propertyName3 propertyName4 propertyName5

and populate the table with counts of propertyNames by event, which would show blanks when the propertyName does not exist for that event:

search event="*" | fillnull value=" " | stats count by event,propertyName1,propertyName2,propertyName3,propertyName4,propertyName5

List of properties aggregated by event

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life