Bucketing text values

sranga · ‎06-04-2010

Hi

I was wondering if there is a way to use the bucket command on fields that have text values. If not, is there a way to achieve this through other commands?

For example, if I have the following in my log file:

<time>: id=1, field1=abc, field2=blah, field3=290  
<time>: id=2, field1=def, field2=blah, field3=2  
<time>: id=3, field1=yyy, field2=blah, field3=90  
<time>: id=4, field1=def, field2=blah, field3=9980  
<time>: id=5, field1=zzz, field2=blah, field3=29023  
<time>: id=6, field1=abc, field2=blah, field3=29330

I would like to bucket the results based on the field1 values, something similar to bucket field1 ....

Thanks for your help.

Ranga

lguinn2 · ‎05-21-2012

Why are you bucketing? If you want to summarize the results in some way, you could do this, for example:

yoursearchhere |
stats count sum(field3) as totalField3 by field1

which would summarize across the entire time period. If you wanted to do it hour-by-hour, you could do something like this

yoursearchhere |
bucket _time span=1h |
stats count sum(field3) as totalField3 by field1 _time

Stephen_Sorkin · ‎06-07-2010

You can use the eval command to do this explicitly, for example:

... | eval new_field1 = substr(field1, 0, 1) + "..." | ...

This will create a new field, "new_field1" that will collapse everything past the first character.

sranga · ‎06-08-2010

Wouldn't this just create a new field with the starting alphabet of field1? How would it bucket the results?

sranga · ‎06-07-2010

Yes, group by values starting with alphabets.

gkanapathy · ‎06-05-2010

It's not clear to me what you mean by this. Do you mean to group, e.g., values that start with A-E, F-K, L-P, etc?

Stephen_Sorkin · ‎06-04-2010

Could you be more specific?

Bucketing text values

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes