- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I group results based on 3 fields?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I group results based on 3 fields?
I am trying to group three fields together and have the first two to be unique values. The fields are Sensor Name, Work Station, and Events. What I am trying to do is get a list of Work Stations per Sensor and all the Events that fired on the Workstation without repeating the Sensor name or the Work Station name. Any help would be great since I feel like i am beating my head against the wall.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this. Again, this is efficient/easy to view if the number of events per Sensor/WorkStation combinations are low <100)
your base search giving fields Sensor_name Work_station Event | stats values(Work_station) as Work_stations list(Event) as Events by Sensor_name
The output will be like this (in single row, all events for all work stations for the sensor )
Sensor1 WorkStation1 Event1
WorkStation2 Event2
Event3
Event4
If you want to segregate events for a WorkStation, then try like this
your base search giving fields Sensor_name Work_station Event | stats list(Event) as Events by Sensor_name, Work_station
The output will be like this (3 rows )
Sensor1 WorkStation1 Event1
Sensor1 WorkStation2 Event2
Event3
Sensor1 WorkStation3 Event4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somesoni2 Thank you for your reply. What i am actually trying to get at is the Events segregated by workstation and the workstations segregated by sensor so that only one sensor is listed, each workstation per sensor that has events is listed and each event that happened on a workstation is listed per workstation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For formatting the code/output, select the text and click on button 101010 available on top of the text box, OR select the text and press Ctrl+K.
The expected format you're looking for is like double level row merge in Excel, which I'm afraid is not available in Splunk. So, you can either go with option 2 OR go with option 1 with some customization so that you can segregate the Events. Something like this (see if it helps):-
your base search giving fields Sensor_name Work_station Event | stats count by Sensor_name Work_station Event | appendpipe [| stats count by Sensor_name, Work_station | eval Event="*****".Work_station."*****"] | stats values(Work_station) as Work_stations list(Event) as Events by Sensor_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somesoni2 thank you for your reply. These are close to what I am looking for but not quite there. So I am looking for each unique work station to show up under thier unique sensor and every event that fired next to the work station it fired on. How do you do the formatting on your examples so I can show you better what I am talking about.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
