I'm new to Splunk and I have been searching for a way to do faceted search, similarly to what I have been doing with Solr. BUt no success so far. Hope you can give me a hand on this.
Imagine I have the following data sample.
PARAMETER01 | PARAMETER02 | PARAMETER03
house | road | road
car | tree | house
road | car | car
tree | car | house
What I want to know is how many times a search matches a specific field. For instance, I want to be able to search for "house" and get the following results:
PARAMETER01: 1
PARAMETER02: 0
PARAMETER03: 2
Can I do this with Splunk?
Thank you in advance.
You can do it as a one-off like this:
... | stats count(eval(PARAMETER01="house")) AS PARAMETER01 count(eval(PARAMETER02="house")) AS PARAMETER02 count(eval(PARAMETER03="house")) AS PARAMETER03
But you should probably convert this to a macro which you can call like this:
... | `MyMacro("house")`
Hi everyone,
I found the solution provided to be very slow, especially when we have a considerable number of fields to search.
Is there an alternative way to get the same results?
Or is there any way to optimize the Splunk dataset to improve this kind of search?
Thanks in advance.
Using stats
is the most efficient (quickest) way to do this kind of thing.
You can do it as a one-off like this:
... | stats count(eval(PARAMETER01="house")) AS PARAMETER01 count(eval(PARAMETER02="house")) AS PARAMETER02 count(eval(PARAMETER03="house")) AS PARAMETER03
But you should probably convert this to a macro which you can call like this:
... | `MyMacro("house")`
Thanks woodcock!
It worked like expected. I just changed it a little bit to be able to do a more robust search:
... | stats count(eval(searchmatch("PARAMETER01=*house*")) AS PARAMETER01 count(searchmatch("PARAMETER02=*house*")) AS PARAMETER02 count(searchmatch("PARAMETER03=*house*")) AS PARAMETER03