folderize

folderize

Synopsis

Replaces attr with higher-level grouping, such as replacing filenames with directories.

Syntax

folderize attr=string [sep=string] [size=string] [minfolders=int] [maxfolders=int]

Arguments

attr

Syntax: attr=<string>

Description: Replaces the attr attribute value with a more generic value, which is the result of grouping it with other values from other results, where grouping happens via tokenizing the attr value on the sep separator value.

sep

Syntax: sep=<string>

Description: Used to construct output field names when multiple data series are used in conjunctions with a split-by field. Defaults to ::

size

Syntax: size=<string>

Description: Defaults to totalCount.

minfolders

Syntax: minfolders=<int>

Description: Set the minimum number of folders to group. Defaults to 2.

maxfolders

Syntax: maxfolders=<int>

Description: Set the maximum number of folders to group. Defaults to 20.

Description

Replaces the attr attribute value with a more generic value, which is the result of grouping it with other values from other results, where grouping happens via tokenizing the attr value on the sep separator value. For example, it can group search results, such as those used on the Splunk homepage to list hierarchical buckets (e.g. directories or categories). Rather than listing 200 sources on the Splunk homepage, folderize breaks the source strings by a separator (e.g. /), and determines if looking at just directories results in the number of results requested. The default sep separator is ::; the default size attribute is totalcount; the default minfolders is 2; and the default maxfolders is 20.

Examples

Example 1: Example usage

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the folderize command.

• Was this topic useful?
• Post a comment