Reputation: 113
Splunk Query - group events by fields in splunk
I have some log events in Splunk which appears something like following:
Payment request to app_name_foo for brand: B1, app_id: A1, some param: blah, another param: blahblahblah, payment method: CREDITCARD, last param: someuniquestring
Payment request to app_name_foo for brand: B1, app_id: A2, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring
Payment request to app_name_foo for brand: B2, app_id: A3, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring
Payment request to app_name_foo for brand: B2, app_id: A1, some param: blah, another param: blahblahblah, payment method: CREDITCARD, last param: someuniquestring
Payment request to app_name_foo for brand: B2, app_id: A4, some param: blah, another param: blahblahblah, payment method: GPAY, last param: someuniquestring
I am trying to get a table something like below:
BRAND | CREDITCARD | DIRECTDEBIT | GPAY
B1 | 1 | 0 | 1
B2 | 1 | 0 | 2
What I have tried so far:
index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand"
| chart count over brand by method
index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand"
| chart count over brand by "payment method"
index = app_name_foo sourcetype = app "Payment request to app_name_foo for brand"
| chart count(eval(method==CREDITCARD)) AS CREDITCARD count(eval(method==DIRECTDEBIT)) AS DIRECTDEBIT count(eval(method==GPAY )) AS GPAY by brand
Unfortunately Splunk doesn't seem to recognize payment method or method. The queries above (and few more queries which I found on internet) doesn't produce any result.
If I replace method or payment method with app_id then I get the some result.
What am I missing? Please help.
Upvotes: 0
Views: 4752
Answers (1)
Reputation: 9926
Before fields can used they must first be extracted. There are a number of ways to do that, one of which uses the extract command.
index = app_name_foo sourcetype = app "Payment request to myApp for brand"
| extract kvdelim=":" pairdelim=","
| rename Payment_request_to_app_name_foo_for_brand as brand
| chart count over brand by payment_method
You'll notice extract may not grab the field names as might be expected. Also, spaces are replaced with underscores.
Now that we have fields with which to work, let's talk about the output. Please tell us more about how the CREDITCARD, DIRECTDEBIT, and GPAY columns are derived. How does B1 get a CREDITCARD value of 5 from only 2 events? Where does DIRECTDEBIT come from? How can GPAY add up to 5 from only 3 events?
Upvotes: 0
Related Questions
- Splunk Event JSON to Table
- Splunk query - Total or Count by field
- Splunk group by stats with where condition
- splunk query to extract multiple fields from single field
- Splunk : extract multiple values from each event
- Splunk field extractions from different events & delimiters
- Splunk: Group by certain entry in log file
- Group events by multiple fields in Splunk
- Splunk queries: filter by _meta fields
- Duplicate field in Splunk Events