Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Search group by parameter

zservati
Explorer
‎01-31-2012 11:27 AM

I am trying to perform a search and using regx and parameter can summarize the result based on two categories which are filing-type and application ( see in bold below). My data looks as listed below for each filing record I have one event in the raw data now I need to get a count for each filing-type and application and the result output should be:

Filing-type Application Count
IRS-941-Payment QUICKBOOKS-DIY 1
SSA-W3-FILING QUICKBOOKS-DIY 1

The basic search perform to get the results below is :

index=efepr Filing was routed from FILING-PROCESSOR RECEIVED

==== Search result

1639] - Filing # 43221772, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {IRS-941-PAYMENT, IRS, QUICKBOOKS-DIY, Y:2012 W:5, RECEIVED}

1539] - Filing # 43221752, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {SSA-W3-FILING, IRS, QUICKBOOKS-DIY, Y:2011 M:1, RECEIVED}

Tags (2)
Reply

hexx
Splunk Employee
Splunk Employee
‎01-31-2012 12:48 PM

Update: Now with in-line field extractions.

Provided that you have successfully extracted the fields "filing-type" (note that Splunk will flatten the dash in that field name to an underscore) and "application", it seems that you are looking for a search like this one :

index=efepr <additional search terms> | rex "\{(?<filing_type>[^,]*?),(?<filing_recipient>[^,]*?),(?<application>[^,]*?),(?<filing_date>[^,]*?),(?<filing_status>[^\}]*?)\}" | stats count by filing_type, application
0 Karma
Reply

zservati
Explorer
‎02-01-2012 01:47 PM

What listed below is the result of the search basically we log this for each filing. Below is a sample what the search returns for two filing records.

1639] - Filing # 43221772, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {IRS-941-PAYMENT, IRS, QUICKBOOKS-DIY, Y:2012 W:5, RECEIVED}

1539] - Filing # 43221752, was routed from FILING-PROCESSOR to [queue/CONVERTER] with key {SSA-W3-FILING, IRS, QUICKBOOKS-DIY, Y:2011 M:1, RECEIVED}

0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎02-01-2012 10:22 AM

To help you with that, we'll need to see a couple of sample events.

0 Karma
Reply

zservati
Explorer
‎02-01-2012 09:49 AM

Extracting Filing Type and Application is what I'm struggling for so could you please let me know how I can extract these fields and assign it to two parameters Filing_type and Application, which then as you pointed out I can use stats to group them.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...