Splunk Search

Is it possible to do faceted search with Splunk, similarly to what we do with Solr?

bemantunes
Explorer

I'm new to Splunk and I have been searching for a way to do faceted search, similarly to what I have been doing with Solr. BUt no success so far. Hope you can give me a hand on this.

Imagine I have the following data sample.

PARAMETER01 | PARAMETER02 | PARAMETER03
house | road | road
car | tree | house
road | car | car
tree | car | house

What I want to know is how many times a search matches a specific field. For instance, I want to be able to search for "house" and get the following results:

PARAMETER01: 1
PARAMETER02: 0
PARAMETER03: 2

Can I do this with Splunk?
Thank you in advance.

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

You can do it as a one-off like this:

 ... | stats count(eval(PARAMETER01="house")) AS PARAMETER01 count(eval(PARAMETER02="house")) AS PARAMETER02 count(eval(PARAMETER03="house")) AS PARAMETER03

But you should probably convert this to a macro which you can call like this:

... | `MyMacro("house")`

View solution in original post

bemantunes
Explorer

Hi everyone,

I found the solution provided to be very slow, especially when we have a considerable number of fields to search.

Is there an alternative way to get the same results?
Or is there any way to optimize the Splunk dataset to improve this kind of search?

Thanks in advance.

0 Karma

woodcock
Esteemed Legend

Using stats is the most efficient (quickest) way to do this kind of thing.

0 Karma

woodcock
Esteemed Legend

You can do it as a one-off like this:

 ... | stats count(eval(PARAMETER01="house")) AS PARAMETER01 count(eval(PARAMETER02="house")) AS PARAMETER02 count(eval(PARAMETER03="house")) AS PARAMETER03

But you should probably convert this to a macro which you can call like this:

... | `MyMacro("house")`

bemantunes
Explorer

Thanks woodcock!

It worked like expected. I just changed it a little bit to be able to do a more robust search:

... | stats count(eval(searchmatch("PARAMETER01=*house*")) AS PARAMETER01 count(searchmatch("PARAMETER02=*house*")) AS PARAMETER02 count(searchmatch("PARAMETER03=*house*")) AS PARAMETER03
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...