Splunk Search

How to group by forcing line value

matimat
Explorer

Hi,

I want to show how many lines contains some value even if no line return.

My data :

Row 1 :
F1: a
Row 2 :
F1: b

Result desired on table :
F1 => Nb
a => 1
b => 1
c => 0

Tags (3)
1 Solution

woodcock
Esteemed Legend

Like this:

|makeresults
| eval host="All real events will have a 'host' value"
| eval F1="a b"
| makemv F1
| mvexpand F1

| rename COMMENT AS "Everything above generates sample events; everything below is your solution"

| append [|makeresults
| rename COMMENT AS "This would better be done using a 'lookup' file with ' |inputlookup append=t' instead of '|makeresults ...'"
| eval F1="a b c d e f list all possible values here"
| makemv F1 ]
| stats count(host) AS Nb BY F1

View solution in original post

woodcock
Esteemed Legend

Like this:

|makeresults
| eval host="All real events will have a 'host' value"
| eval F1="a b"
| makemv F1
| mvexpand F1

| rename COMMENT AS "Everything above generates sample events; everything below is your solution"

| append [|makeresults
| rename COMMENT AS "This would better be done using a 'lookup' file with ' |inputlookup append=t' instead of '|makeresults ...'"
| eval F1="a b c d e f list all possible values here"
| makemv F1 ]
| stats count(host) AS Nb BY F1

matimat
Explorer

Thanks your solution works. I add this :

|append [| makeresults | eval F1 ="a b c" | makemv F1] | stats count(host) as Nb BY F1

0 Karma

nplamondon
SplunkTrust
SplunkTrust

@woodcock answered a very similar question a while back. Check out https://answers.splunk.com/answers/566928/how-to-find-missing-values-from-a-search-events-co-1.html

arjunpkishore5
Motivator

Do you have a master list of all possible values for F1? If yes, is it in a lookup file?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...