Splunk Search

How do I sum the counts of all the similar values in a field to show as a single item?

praneethkodali
Explorer

Below search command is giving the results as below

source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"| top limit=20 "Lost Detail"

alt text

How do I sum all the %duplicate% values in the field Lost Detail and show it as a single value?For example, I would like to show the results for Duplicate, duplicate, duplicate opportunity, Duplicate Opp in below table as one value with the sum of its count.

0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

The essence here is using eval to match on case insensitive duplicate:

| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')

In the case that the regular expression (?i)duplicate.* is matched to the value of the field Lost Detail, return "duplicate" as the value, otherwise, just return return the value of Lost Detail (single quotes are crucial!).

 source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')
| top limit=20 "Lost Detail"

View solution in original post

aljohnson_splun
Splunk Employee
Splunk Employee

The essence here is using eval to match on case insensitive duplicate:

| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')

In the case that the regular expression (?i)duplicate.* is matched to the value of the field Lost Detail, return "duplicate" as the value, otherwise, just return return the value of Lost Detail (single quotes are crucial!).

 source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
| eval "Lost Detail" = if(match('Lost Detail', "(?i)duplicate.*"), "duplicate", 'Lost Detail')
| top limit=20 "Lost Detail"

praneethkodali
Explorer

thank you johnson. Above eval function is giving me "Error in 'eval' command: The arguments to the 'case' function are invalid". I tried adding closing brace to case function ? Did i miss anything with respect to the syntax. I apologize for asking the basic question

source="report1447097285313.csv" host="ca2indslogprd02" index="poc" sourcetype="csv" "Lost Detail"="*" host="*"
 | eval "Lost Detail" = case(match("Lost Detail", "(?i)duplicate.*"), "duplicate", "Lost Detail"**)**
 | top limit=20 "Lost Detail"
0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

Sorry ! It should've been if, not case.

Case takes pairs of arguments e.g. case(X, Y, X, Y,...) where each x is a boolean and y is the returned value if x is true.

If however takes 3 arguments, e.g. if(X,Y,Z), where x is boolean - if true, return y, else, return z.

Was also missing a ending parens. My bad.

@praneethkodali
@sundareshr

0 Karma

praneethkodali
Explorer

thank you, it worked. I used single quotes for the 'Lost Detail' field in match and if functions from your answer.

aljohnson_splun
Splunk Employee
Splunk Employee

Haha I missed those too ! I will update the answer for future people but sorry for my sloppiness. Glad you got it working.

0 Karma

sundareshr
Legend

Try removing the space in your field name eg. "Lost Detail" s/b Lost_Detail See if that helps. You can always add the space back with a replace commande

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...