Good afternoon,
I am trying to take data from multiple sourcestypes, combine it by a common field and then output it to one entry per line when exporting to CSV. I'm having difficulty because there are several fields but only a couple have multiple values. The fields with multiple values show up in one cell. I have tried several suggestions I have come across in searching, but none of them seem to do what I'm attempting.
To start with, another organization hosts the SPLUNK instance, so I do not have access to any back end modifications such as props.conf. I am able to run searches and create dashboards, that is about it.
We have 1 index assigned to this data, and 4 source types. The data I need is spread across all 4 source types and there is one common field (key) between the four. Three of the four source types will return a single event per key, but the 4th can return multiple events per key. When I run my search using stats, I get the data from the first three pretty in a line, then the fields from the fourth will have multiple lines per row. When exported, these show up as a single cell in excel. Hope this makes sense.
Example:
Sourcetype1 contains Fielda Fieldb Fieldc
Sourcetype2 contains Fielda Fieldd Fielde
Sourcetype3 contains Fielda Fieldf Fieldg
Sourcetype4 contains Fielda FieldH FieldI FieldJ
index=* [search index=* Search_criteria | table Fielda | rename Fielda as query] |stats values(*) as * by Fielda
| stats list(Fieldb) as Fieldb, list(Fieldc) as Filedc, list(fieldd) as Fieldd, list(fielde) as Fielde, list(fieldf) as Fieldf, list(Fieldg) as Fieldg, list(FieldH) as FieldH, list(FieldI) as FieldI, list(FieldJ) as FieldJ by Fielda
Result would look like:
Fieldb Fieldc Fieldd Fielde Fieldf Fieldg FieldH FieldI FieldJ
A1 A1 A1 A1 A1 A1 A1 A1 A1
A1.1 A1.1
A2 A2 A2 A2 A2 A2 A2 A2 A2
A2.1 A2.1
A2.2 A2.2
A3 A3 A3 A3 A3 A3 A3 A3 A3
A4 A4 A4 A4 A4 A4 A4 A4 A4
A5 A5 A5 A5 A5 A5 A5 A5 A5
A5.1 A5.1
A5.2 A5.2
And I need it to look like this when exported to CSV:
Fieldb Fieldc Fieldd Fielde Fieldf Fieldg FieldH FieldI FieldJ
A1 A1 A1 A1 A1 A1 A1 A1 A1
A1 A1 A1 A1 A1 A1 A1 A1.1 A1.1
A2 A2 A2 A2 A2 A2 A2 A2 A2
A2 A2 A2 A2 A2 A2 A2 A2.1 A2.1
A2 A2 A2 A2 A2 A2 A2 A2.2 A2.2
A3 A3 A3 A3 A3 A3 A3 A3 A3
A4 A4 A4 A4 A4 A4 A4 A4 A4
A5 A5 A5 A5 A5 A5 A5 A5 A5
A5 A5 A5 A5 A5 A5 A5 A5.1 A5.1
A5 A5 A5 A5 A5 A5 A5 A5.2 A5.2
I've tried using transaction instead of the stats command. I've also tried adding "by fiedla FieldI FieldJ" at the end of the stats and that just seems to created multiple entries for each possible combination of .1 and .2 answers. Any help that could be offered would be greatly appreciated.
https://answers.splunk.com/answers/565459/help-with-the-logic-to-make-this-count-my-fields-c.html
Hi, I have the following field called OS with 6 different values and count for each value:
Windows = 5
Mac = 4
Linux = 5
Mac, Windows = 10
Mac, Windows, Linux = 12
Mac, Linux = 11
The problem stand on that the real total of Windows values would be **Windows,Windows+Mac,Windows,Linux** (5+10+12)
So I would like to separate Mac,Windows into Windows and Mac values and add them to the Windows and Mac value.
At the end I would like to have something like:
Windows=27
Mac=26
Linux=16
My idea is to rename them twice but it doesn't really work out for me. Any ideas or solutions are welcome.
Chart count by specific colon separated field (syslog)
https://answers.splunk.com/answers/122091/chart-count-by-specific-colon-separated-field-syslog.html
Hi,
Im new to splunk and Im not a developer, and I got stuck trying to make a simple graphical display in dashboard showing syslog sources, using syslogs given hostnames. In example below (*AP01-MATRIX*). <br>
If i use the "chart count by host" it gives me a graphic with *197.116.14.182* but I need to use *AP01-MATRIX* instead. I thought about using something simple like get the 4th item separated by colon, but I dont know how.<br><br>
Feb 10 12:22:26 197.116.14.182 274: ***AP01-MATRIX***: *Mar 4 12:22:26.490 UTC: %DOT11-4-CCMP_REPLAY: Client baf6.85f8.1da6 had 1 AES-CCMP TSC replays<br>
host = **197.116.14.182** source = udp:514 sourcetype = syslog
Thanks in advance.