I want to implement a group_concat-like behavior in Splunk.Here as in the table where serviceA has 2 entries which need to be combined with a delimiter and the count needs to be added. Is there any way we can achieve the functionality using SPL. Any help is appreciated. Thanks!!
... | stats count, values(Status) by Service_Name
You need to create a multi-value field and values() will be an appropriate way to do it in your case
To combine the Status values with comma separators, add these commands to your query.
| stats count as Count, values(Status) as Status by Service_name
| eval Status = mvjoin(Status, ",")
Related
The objective of the query im trying to write is to take a count of raw data from the previous month and add that to a count from a lookup table (.csv)
What I have attempted to do is…
index=*** source=***
| stats count(_raw) as monthCount
| join
[ | inputlookup Log_Count_YTD.csv]
| eval countYTD = toNumber(monthCount) + toNumber(TOTAL_COUNT_YTD)
| table countYTD
This query doesn’t return any value on a table. The TOTAL_COUNT_YTD is the only field from the inputlookup file. Let me know if there is any other information you need to help me out with this one. Thanks!
The stats command transforms the data so it has only 1 field: monthCount. The inputlookup returns only the TOTAL_COUNT_YTD field. The join command works by comparing values of common fields between the main search and the subsearch. Since there are no common fields no events are joined.
There is no need for join in this case. The appendcols command will do, assuming the CSV contains a single field in a single row.
index=*** source=***
| stats count() as monthCount
| appendcols
[ | inputlookup Log_Count_YTD.csv]
| eval countYTD = toNumber(monthCount) + toNumber(TOTAL_COUNT_YTD)
| table countYTD
FWIW, the tonumber function is unnecessary, but doesn't hurt.
i have 4 fields (Name , age, class, subject) in one index (Student_Entry) and i want to add total events but i want to exclude those events who has any value in subject field.
I tried the below two ways
index=Student_Entry Subject !=* | stats count by event
index=Student_Entry NOT Subject= * | stats count by event
The NOT and != operators are similar, but not equivalent. NOT will return events with no value in the Subject field, whereas != will not. In your case, use !=. See https://docs.splunk.com/Documentation/Splunk/8.0.4/Search/NOTexpressions
stats count by event does nothing because there is no field called 'event'. To count events, just use stats count.
It looks like you were right using index=Student_Entry Subject !=*
Then you can add only - | stats count
You can do it this way, too:
index=Student_Entry
| where isnull(subject)
| stats count
I'm trying to do a query that will first aggregate by field count and after by bin(1h) for example I would like to get the result like:
# Date Field Count
1 2019-01-01T10:00:00.000Z A 123
2 2019-01-01T11:00:00.000Z A 456
3 2019-01-01T10:00:00.000Z B 567
4 2019-01-01T11:00:00.000Z B 789
Not sure if it's possible though, the query should be something like:
fields Field
| stats count() by Field by bin(1h)
Any ideas how to achieve this?
Is this what you need?
fields Field | stats count() by Field, bin(1h)
If you want to create a line chart, you can do it by separately counting each value that your field could take.
fields
Field = 'A' as is_A,
Field = 'B' as is_B
| stats sum(is_A) as A, sum(is_B) as B by bin(1hour)
This solution requires your query to include a string literal of each value ('A' and 'B' in OP's example). It works as long as you know what those possible values are.
This might be what Hugo Mallet was looking for, except the avg() function won't work here so he'd have to calculate the average by dividing by a total
Not able to group by a certain field and create visualizations.
fields Field
| stats count() by Field, bin(1h)
Keep getting this message
No visualization available. Try this to get started:
stats count() by bin(30s)
I want to make time chart table like this:
Currently I using two queries
1.Get transaction column :
sourcetype="mysource" host="myhost" | timechart count span=1h
2.Get transaction_success column :
sourcetype="mysource" host="myhost" status="2" | timechart count span=1h
Then combine them manually with Excel.
How to search that data with only one query?
currently i found how to join the queries:
sourcetype="mysource" host="myhost" | timechart count as transaction count(eval(status="2")) as transaction_success span=1h
I hope append should work in your case. Query 1 append Query 2
Please go thru the following posts in splunk
https://answers.splunk.com/answers/28621/combine-2-splunk-queries.html
https://answers.splunk.com/answers/182453/how-to-combine-my-two-search-queries-using-join-or.html
https://answers.splunk.com/answers/30909/combine-two-queries-into-a-single-value.html
https://answers.splunk.com/answers/123204/how-to-combine-two-queries-into-one-without-using-eventtypes.html
Suppose I have a SQL query like this:
SELECT
tickets.TicketNumber, history.remarks
FROM
AT_DeviceReplacement_Tickets tickets
INNER JOIN
AT_DeviceReplacement_Tickets_History history
ON tickets.TicketNumber = history.TicketNumber;
I get a table like this in repsonse:
ticketNumber | remarks
-------------+------------
1 | "Hello, there is a problem."
1 | "Did you check the power cable?
1 | "We plugged it in and now it works. Thank you!"
2 | "Hello, this is a new ticket."
Suppose that I want to write a query that will concatenate the remarks for each ticket and return a table like this:
ticketNumber | remarks
-------------+------------
1 | "Hello, there is a problem.Did you check the power cable?We plugged it in and now it works. Thank you!"
2 | "Hello, this is a new ticket."
Yes, in the real code, I've actually got these sorted by date, among other things, but just for the sake of discussion, how would I edit the above query to get the result I described?
Have a look at the following questions:
Can I Comma Delimit Multiple Rows Into One Column?
Is it possible to concatenate column values into a string using CTE?
The cleanest solution to this problem is DB dependent. Lentine's links show very ugly solutions for Oracle and SQL Server and a clean one for MySQL. The answer in PostgreSQL is also very short and easy.
SELECT ticket_number, string_agg(remarks, ', ')
FROM
AT_DeviceReplacement_Tickets tickets
INNER JOIN
AT_DeviceReplacement_Tickets_History history
ON tickets.Ticket_Number = history.Ticket_Number
GROUP BY tickets.ticket_number;
(Note you have both ticket_number and TicketNumber in your sample code.)
My guess is that Oracle and SQL Server either (1) have a similar aggregate function or (2) have the capability of defining your own aggregate functions. [For MySQL the equivalent aggregate is called GROUP_CONCAT.] What DB are you using?