- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- aggregating stats by wildcard or arbitrary number ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Imagine I have the following data:
msg uid AB_test1 AB_test2
click 1 A A
reqst 2 B A
click 3 B B
reqst 4 A B
click 5 B A
reqst 6 B A
click 7 A A
reqst 8 A B
I want to do a stats query aggregating the results of my various AB tests for the "click" msg. I can do this:
msg="click" | stats count by AB_test1, AB_test2
But imagine I now have AB_test3 through AB_test10 or a variable number of tests running at once. I don't want to have to do this:
msg="click" | stats count by AB_test1, AB_test2, ... AB_test10
I'd like to do something similar to this:
msg="click" | stats count by AB_*
Is this possible, or is there some similar syntax that essentially groups data by an arbitrary set of fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm pretty sure that this technique will fall apart if you want to do anything more complicated, but ..
| inputlookup example.csv | fields - uid | search msg="click" | stats count(AB*) | transpose | rex field=column ^count\((?<column>.*?)\) | rename column as field | rename "row 1" as count
returns
field count
AB_test1 4
AB_test2 4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suppose that there is no hope of transforming the data into this format:
msg uid testName testResult
click 1 test1 A
click 1 test2 A
BTW, it would be nice if you could wildcard the stats command as you showed! But you can't, and I can't see any other easy way to do what you want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm pretty sure that this technique will fall apart if you want to do anything more complicated, but ..
| inputlookup example.csv | fields - uid | search msg="click" | stats count(AB*) | transpose | rex field=column ^count\((?<column>.*?)\) | rename column as field | rename "row 1" as count
returns
field count
AB_test1 4
AB_test2 4
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
