Solved: Simplifing a search

cpeteman · ‎07-30-2013

Two Splunk users have saved basically the same search:

searchterms | stats count by punct | table punct,count | append [ search searchterms | dedup punct | table punct,_raw ] | selfjoin punct | sort-count

and

searchterms | stats count by punct | rename punct as spunct | rename count as scount | table spunct scount | append [ search searchterms | dedup punct | rename punct as spunct | table spunct _raw ] | selfjoin spunct

It seems that I should be able to replace both of these with a much simpler search (with no subsearch) such as:

searchterms | stats count by punct | dedup punct | table punct,count,_raw | sort-count

The goal being to give one _raw message for each punct type along with the punct message and the number of occurrences of that punct. However the _raw field is empty. Help.

SOLUTION: I took a look at this again after having worked a lot more with Splunk and saw there's a way better way to do this:

searchterms | stats count first(_raw) AS raw by punct | sort-count

is all it takes.

passing · ‎07-30-2013

Try:

searchterms | stats count first(_raw) AS raw by punct | dedup punct | table punct,count,raw | sort-count

View solution in original post

passing · ‎07-30-2013

Try:

searchterms | stats count first(_raw) AS raw by punct | dedup punct | table punct,count,raw | sort-count

cpeteman · ‎07-30-2013

You guys never fail to prove that subsearches are avoidable Thanks!

sowings · ‎07-30-2013

The stats command nuked the _raw because you didn't tell it to include it, whether as a calculated value (values, first, last, avg, max, etc) or as a differentiator in the "by" clause.

Simplifing a search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!