Splunk Search

How do I create a faceted, multi-filter search with counting over multiple fields?

lisardggy
New Member

I'm writing a generic search layer that allows our users to have drilldown, faceted search experience. This means that for a given set of search results, I want to see the distribution of existing values for a set of given fields, with a count of matches. This will allow the user to select one of those values and run a second search, narrowing down the results.

It seems easy enough to do it for one result field, using stats count or chart count. The problem is that counting over multiple fields results in a narrow AND count, rather than a separate count for each different field.

I've tried implementing this with subsearches - search host="test" | chart count by field1 | append [search host="test" | chart count by field2] but this requires me to pass the search filters ( ( host="test") for every internal subsearch, in essence running the search n times instead of just getting stats on a single set of search results. It might be more efficient than running n searches from my code, but it still seems wasteful.

So, is there a way to achieve this without running multiple searches? It would be even better if I can get the search results alongside the search stats in a single hit.

0 Karma

bemantunes
Explorer
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...