Documentation > Splunk > Search Reference > folderize

Search Reference

 


Welcome
Search Overview
Search Commands
Custom Search Commands

folderize

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

folderize

Synopsis

Replaces attr with higher-level grouping, such as replacing filenames with directories.

Syntax

folderize attr=string [sep=string] [size=string] [minfolders=int] [maxfolders=int]

Arguments

attr
Datatype: <string>
Description: Replaces the attr attribute value with a more generic value, which is the result of grouping it with other values from other results, where grouping happens via tokenizing the attr value on the sep separator value
sep
Datatype: <string>
Description: Replaces the attr attribute value with a more generic value, which is the result of grouping it with other values from other results, where grouping happens via tokenizing the attr value on the sep separator value
size
Datatype: <string>
Description: The default sep separator is ::; the default size attribute is totalcount; the default minfolders is 2; and the default maxfolders is 20.
minfolders
Datatype: <int>
Description:
maxfolders
Datatype: <int>
Description:


Description

Replaces the attr attribute value with a more generic value, which is the result of grouping it with other values from other results, where grouping happens via tokenizing the attr value on the sep separator value. For example, it can group search results, such as those used on the Splunk homepage to list hierarchical buckets (e.g. directories or categories). Rather than listing 200 sources on the Splunk homepage, folderize breaks the source strings by a separator (e.g. /), and determines if looking at just directories results in the number of results requested. The default sep separator is ::; the default size attribute is totalcount; the default minfolders is 2; and the default maxfolders is 20.

Examples

Example 1: Example usage

| metadata type=sources | folderize maxfolders=20 attr=source sep="/"| sort totalCount d
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0/SearchReference/Folderize"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.