How to enumerate values in an individual event?

yuanliu · ‎10-15-2014

In stats, values() can be used to enumerate values fitting the stats criteria. Is there a similar function to do this for individual events? For example, a meal can involve fork, knife and spoon multiple times, but I only want an unordered list of utensils have been used, not the full sequence in which they are used.

Given inputs

07:10 food=milk utensil=bowl utensil=spoon food=cereal utensil=spoon food="scrambled eggs" utensil=fork food=milk utensil=bowl food=banana
12:00  food="hot dog"
18:00  food=salad utensil=fork food=bread utensil=knife food=soup utensil=spoon food=steak utensil=knife utensil=fork food=bread food=apple utensil=knife

I want to have the following utensils values attached to each event:

Breakfast: utensils="bowl, fork, knife, spoon"
Lunch:
Dinner: utensils="fork, knife, spoon"

If there is a field "meal", I can perhaps eventstats values(utensil) as utensils by meal. But meal is not always present. Even _time may not be distinct enough. Besides, when dealing with millions of events, eventstats for values in each events looks insane. Is there a better way?

martin_mueller · ‎10-15-2014

This may be a bit brute-force-ish, but is a way of running a stats values() by event:

base search | streamstats count | eventstats values(utensil) as utensils by count

May not scale well for zillions of events.

How to enumerate values in an individual event?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!