Group events by multiple fields in Splunk
Hi I have some events in splunk which are of this form-
Location: some value(same value can be there in multiple events)
Client: some value(same value can be there in multiple events)
TransactionNumber: some value(Unique for each event)
Transaction Time: some value(Unique for each event)
Now I want a table in this form -
Basically each location can have multiple clients and each client can have different transactions. Transaction number and transaction time are unique and have one to one mapping.
I am using this query in splunk-
| stats list(TransactionNumber) list(TransactionTime) by Location Client
What's happening is I am getting unique combination of location and client but what I want is unique clients to be listed against a particular Location.
This is what i am getting-
How can the query be modified to achieve the same?
Here is a complete example using the _internal index
index=_internal
| stats list(log_level) list(component) by sourcetype source
| streamstats count as sno by sourcetype
| eval sourcetype=if(sno=1,sourcetype,"")
| fields - sno
For your use-case I think this should work
| stats list(TransactionNumber) list(TransactionTime) by Location Client
| streamstats count as sno by Location
| eval Location=if(sno=1,Location,"")
| fields - sno
If this fixes your problem, take a moment to accept the answer. This can be done by clicking on the check mark beside the answer to toggle it from greyed out to filled in!
Cheers
- How to determine the length of an array field in Splunk?
- Splunk query to find those final results that has events with unique combination of values of two keys in results of main search criteria
- login-info.cfg Splunk file semantic and structure
- Splunk SignalFX Synthetics: Is it possible to retrieve environment variable values in Javascript
- query splunk query joining 2 data tables
- Form a results table view from splunk multiple logs
- Exclude unnecessary logs being sent to splunk cloud platform
- How to Attach Splunk Search Results In JIra Via Terraform Automation?
- Regex Substitue only on a specific group - sedcmd (Splunk)
- Regex to only return matches when followed by a specific word
- embeding conf files into helm chart
- Splunk Logs for Faster Queries, with Category Boolean true
- How to create a timechart in splunk for the timestamp and extracted field?
- Match regex named group up until optional word
- How can I access the TraceId generated by splunk-otel-collector within an ASP.NET web application?
- Splunk result in Table format
- Splunk: How to compute the difference of timestamps by id?
- SPLUNK: How can I count events by location with a list of SERVERNAME's?
- How to represent difference between same fields from two different and simultaneous searches in a table format in Splunk?
- Java 11 HttpClient - POST issue
- Flume sink to Splunk?
- Questions related to splunk builtin macros in correlation search
- how to send the local file using splunk forwarder docker image?
- A table of counts of http status by URL
- How do I use a specific date/time in Splunk dashboard with earliest and latest?
- Splunk - Handling a blank token for a dashboard search
- Splunk - Extracting from search results using regex and aggregates
- Splunk - Grouping by distinct field with stats of another field
- Trying to log to Splunk using logback appender
- How can I download infinite results from a Splunk Search to Export the Data