Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

folderize

Description

Creates a higher-level grouping, such as replacing filenames with directories. Replaces the attr attribute value with a more generic value, which is the result of grouping the attr value with other values from other results, where grouping occurs by tokenizing the attr value on the sep separator value.

For example, the folderize command can group search results, such as those used on the Splunk Web home page, to list hierarchical buckets (e.g. directories or categories). Rather than listing 200 sources, the folderize command breaks the source strings by a separator (e.g. /) and determines if looking only at directories results in the number of results requested.

Syntax

folderize attr=<string> [sep=<string>] [size=<string>] [minfolders=<int>] [maxfolders=<int>]

Arguments

attr
Syntax: attr=<string>
Description: Replaces the attr attribute value with a more generic value, which is the result of grouping it with other values from other results, where grouping occurs by tokenizing the attribute (attr) value on the separator (sep) value.
sep
Syntax: sep=<string>
Description: Specify a separator character used to construct output field names when multiple data series are used in conjunction with a split-by field.
Default: ::
size
Syntax: size=<string>
Description: Supply a name to be used for the size of the folder.
Default: totalCount
minfolders
Syntax: minfolders=<int>
Description: Set the minimum number of folders to group.
Default: 2
maxfolders
Syntax: maxfolders=<int>
Description: Set the maximum number of folders to group.
Default: 20

Examples

1. Group results into folders based on URI

Consider the following search.

index=_internal | stats count(uri) by uri

The following image shows the results of the search run using "All Time" for the time range. Many of the results start with /en-US/account. Because of the length of some of the URIs, the image does not show the second column on the far right. That column is the count(uri) column created by the stats command.

This image shows the results in a table on the Statistics tab. There are two columns in the results: uri and count(uri). There are thousands of results.

Using the folderize command you can summarize the URI values into more manageable groupings.

index=_internal | stats count(uri) by uri | folderize size=count(uri) attr=uri sep="/"

The following image shows the URIs grouped into 9 results.

This image shows the results in a table on the Statistics tab. There are three columns in the results: uri, count(uri), and memberCount. All of the URIs that begin with /en-US/account/ are grouped together on one line in the results. In this example, the URIs are grouped into nine results.

In this example, the count(uri) column is the count of the unique URIs that were returned from the stats command. The memberCount column shows the count of the URIs in each group. For example, the /en-US/ URI was found 62 times in the events, as shown in the count(uri) column. When the folderize command arranges the URI into groups, there is only 1 member in the /en-US/ group. Whereas the URIs that start with /services/ occurred 5365 times in the events, but there are only 775 unique members in the /services/* group.

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the folderize command.

PREVIOUS
findtypes
  NEXT
foreach

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.7, 6.2.8, 6.2.9, 6.2.4, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 6.2.5, 6.2.6


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters