- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Grouping similar
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Grouping similar
HI All,
Im have a search and its working great for calculating averages based on the domain, the problem is that I would like to group the google.com's together. I thought I could do it with the eval command but it doesnt seem to be working for me
search
index=collaboration tag::host=inbound [search index=collaboration tag::host=inbound mail_sender=email_address@umich.edu | fields simta_id] | transaction simta_id | stats avg(duration) as "Average Duration" by domain_name
output looks like this
adsroot.itcs.umich.edu 31.538462
med.umich.edu 35.000000
mail-ig0-f173.google.com 61.000000
mail-ig0-f175.google.com 36.000000
mail-oi0-f47.google.com 36.000000
mail-qa0-f44.google.com 36.000000
mail-vc0-f178.google.com 36.000000
mail-wg0-f49.google.com 36.000000
mail-wi0-f178.google.com 37.000000
mail-yh0-f51.google.com 34.000000
mail-yk0-f170.google.com 36.000000
thanks all
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the full hostname does not matter for google.com you could do something like the following to reassign just google.com:
index=collaboration tag::host=inbound [search index=collaboration tag::host=inbound mail_sender=email_address@umich.edu | fields simta_id] | transaction simta_id |eval domain_name=if(match(domain_name,".*google.com"),"google.com",domain_name)| stats avg(duration) as "Average Duration" by domain_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another alternative
index=collaboration tag::host=inbound [search index=collaboration tag::host=inbound mail_sender=email_address@umich.edu | fields simta_id] | transaction simta_id | replace *.google.com with google.com in domain_name| stats avg(duration) as "Average Duration" by domain_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By "group the google.com's" together, do you mean you want 1 average for all *.google.com domain_names ? Do you want the umich.edu domain_names grouped as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sorry about that only the Google ones should be groups the umich ones are fine separate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will there be other domains like "google.com" which may appear multiple time? Also, the first two entries in your output, should they be also clubbed into one? (they both are from umich.edu domain)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sorry about that only the Google ones should be groups the umich ones are fine separate
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
