Getting Data In

Break script output into top values on multi value keys

scalexan62
Engager

I have a script that produces output like the following:

foo=abc, bar=efg, size=100
foo=abc, bar=kkk, size=102
foo=cba, bar=fff, size=110
foo=cba, bar=ppp, size=90
foo=aaa, bar=bbb, size=95

I like to now get a chart showing the top values something like this:

foo/bar                size
-------                ----
cba/fff                110
abc/kkk                102
abc/efg                100
aaa/bbb                 95
cba/ppp                 90

Any suggestions. Do I need to break this up into separate events?

Tags (1)
0 Karma

sbrant_tt
Explorer

I think this will work for you:

 | multikv noheader=t | rex field=Column_1 "foo=(?<foo>.*)" | rex field=Column_2 "bar=(?<bar>.*)" | rex field=Column_3 "size=(?<size>.*)" | eval "foo/bar"=foo."/".bar | top size by foo/bar showcount=f showperc=f
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...