Calculating fields by groups of events

andrey2007 · ‎03-07-2013

Hello,
I need to group events by 3 filelds ip,login and city (one group with same login,same ip and same city),
something like this
user1 192.168.1.1 London field4...fieldn
user1 192.168.1.1 London field4...fieldn
user1 192.168.1.1 London field4...fieldn

user1 2.2.2.2 London field4...fieldn
user1 2.2.2.2 London field4...fieldn
....
user10 4.4.4.4 NY field4...fieldn
user10 4.4.4.4 NY field4...fieldn
user10 4.4.4.4 NY field4...fieldn
after this i need to calculate custom fields INSIDE EVERY GROUP, for example sum of events in group with field4`s value=5 or minimal value of fieldn where field4=12.
I tried to use transaction command

| transaction ip, login, city

but I don`t find out how to calculate custom fileds separately for each transaction.

Also, I was looking at stats command, but as I understood, it`s not possible to use eval command inside stats statement.

What`s the best way to do it?

andrey2007 · ‎03-11-2013

i made without transaction command
1st report
...|where field4==12 | stats min(fieldn) by ip, login, city
2nd report
...|where field4==5 | stats count(field4) by ip, login, city
but i need it all in one united report

martin_mueller · ‎03-08-2013

You could do something like this for your two examples:

... | eventstats count(eval(field4==5)) as result by ip login city

... | eventstats min(eval(if(field4==12,fieldn,null))) as min by ip login city

Calculating fields by groups of events

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...