Splunk Search

Want to do GROUP BY to my result set

abhayneilam
Contributor

Hi,

My input is :

Name File Grade


abhay file1 A
murari file2 B
abhay file3 C
abhay file4 A
trid file5 D
murari file4 E

My output should be :

Name File Grade


abhay 3 A,C
murari 2 B,E
trid 1 D

Means, Abhay is having 3 files, Murari is having 2files and trid is having 1 files along with their corresponding GRADE.

Please help !!

Thanks in advance,
Abhay

Tags (3)

yannK
Splunk Employee
Splunk Employee

* | stats dc(File) AS "number of distinct files" values(File) AS "List of Files" values(Grade) AS "List of Grades" by Name

You are welcome.

l0pher
Explorer

This is wonderful. values(xxx) function did it. This is exactly what I'm after.

0 Karma

yannK
Splunk Employee
Splunk Employee

I do not know multivalue sorting tools out of the box, you may want to read this one http://answers.splunk.com/answers/11394/is-it-possible-to-sort-or-reorder-a-multivalue-field

0 Karma

michaudel
Explorer

Awesome i was sort of working in the same direction. The problem i am having is that now that i have a MV Field, i can't sort the field. So below shows an example of one of the fields returned. What i need to do is order the MV field so when i go after the indexes of the MV field i am getting back the correct number. Unfortunately the app server doesn't give them to me in order. So if i just did the index of 16 below i would get 31, but what should actually be the 16th index is 190. So how to sort the values of an MV field?

rexLatency
1

0
31
0
31
31
26
0
177
190
179
190
190
185
179
31
31

0 Karma

yannK
Splunk Employee
Splunk Employee

guys, if you want your answers to be accepted, don't write then as comments.
You should repost as an answer to get karma 🙂

bmacias84
Champion

Did my search work for you or do you still need assistance? You shouldn't need the where statement.

... | eval Grade=if(Name=Name,mvjoin(Grade,","), Grade) |stats count(file) as file values(Grade) by Name

for got my if statment

abhayneilam
Contributor

Thanks a lot for your assistance !!

0 Karma

abhayneilam
Contributor

index="a" |where isnotnull(Grade) | eval Grade=(Name=Name,mvjoin(Grade,","), Grade) |stats count(file) as file values(Grade) by Name

I am giving this query but getting the following error :

[EventsViewer module] Error in 'eval' command: The expression is malformed. Expected ).

0 Karma

bmacias84
Champion

I wrote this off the cuff so it might work or give you a few Ideas.


... | eval Grade=(Name=Name,mvjoin(Grade,","), Grade) |stats count(file) as file values(Grade) by Name

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...