Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Want to do GROUP BY to my result set

abhayneilam
Contributor
‎10-19-2012 11:26 AM

Hi,

My input is :

Name File Grade

abhay file1 A
murari file2 B
abhay file3 C
abhay file4 A
trid file5 D
murari file4 E

My output should be :

Name File Grade

abhay 3 A,C
murari 2 B,E
trid 1 D

Means, Abhay is having 3 files, Murari is having 2files and trid is having 1 files along with their corresponding GRADE.

Please help !!

Thanks in advance,
Abhay

Tags (3)
Reply

yannK
Splunk Employee
Splunk Employee
‎10-23-2012 08:52 PM

* | stats dc(File) AS "number of distinct files" values(File) AS "List of Files" values(Grade) AS "List of Grades" by Name

You are welcome.

Reply

l0pher
Explorer
‎06-04-2015 12:02 AM

This is wonderful. values(xxx) function did it. This is exactly what I'm after.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-21-2013 10:34 AM

I do not know multivalue sorting tools out of the box, you may want to read this one http://answers.splunk.com/answers/11394/is-it-possible-to-sort-or-reorder-a-multivalue-field

0 Karma
Reply

michaudel
Explorer
‎08-21-2013 10:24 AM

Awesome i was sort of working in the same direction. The problem i am having is that now that i have a MV Field, i can't sort the field. So below shows an example of one of the fields returned. What i need to do is order the MV field so when i go after the indexes of the MV field i am getting back the correct number. Unfortunately the app server doesn't give them to me in order. So if i just did the index of 16 below i would get 31, but what should actually be the 16th index is 190. So how to sort the values of an MV field?

rexLatency
1

0
31
0
31
31
26
0
177
190
179
190
190
185
179
31
31

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-20-2012 10:08 PM

guys, if you want your answers to be accepted, don't write then as comments.
You should repost as an answer to get karma 🙂

Reply

bmacias84
Champion
‎10-19-2012 01:10 PM

Did my search work for you or do you still need assistance? You shouldn't need the where statement.

... | eval Grade=if(Name=Name,mvjoin(Grade,","), Grade) |stats count(file) as file values(Grade) by Name

for got my if statment

Reply

abhayneilam
Contributor
‎10-19-2012 12:29 PM

Thanks a lot for your assistance !!

0 Karma
Reply

abhayneilam
Contributor
‎10-19-2012 12:15 PM

index="a" |where isnotnull(Grade) | eval Grade=(Name=Name,mvjoin(Grade,","), Grade) |stats count(file) as file values(Grade) by Name

I am giving this query but getting the following error :

[EventsViewer module] Error in 'eval' command: The expression is malformed. Expected ).

0 Karma
Reply

bmacias84
Champion
‎10-19-2012 11:48 AM

I wrote this off the cuff so it might work or give you a few Ideas.



... | eval Grade=(Name=Name,mvjoin(Grade,","), Grade) |stats count(file) as file values(Grade) by Name

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...