Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF



Creates a higher-level grouping, such as replacing filenames with directories. Replaces the attr attribute value with a more generic value, which is the result of grouping the attr value with other values from other results, where grouping occurs by tokenizing the attr value on the sep separator value.

For example, the folderize command can group search results, such as those used on the Splunk Web home page, to list hierarchical buckets (e.g. directories or categories). Rather than listing 200 sources, the folderize command breaks the source strings by a separator (e.g. /) and determines if looking only at directories results in the number of results requested.


folderize attr=<string> [sep=<string>] [size=<string>] [minfolders=<int>] [maxfolders=<int>]


Syntax: attr=<string>
Description: Replaces the attr attribute value with a more generic value, which is the result of grouping it with other values from other results, where grouping occurs by tokenizing the attribute (attr) value on the separator (sep) value.
Syntax: sep=<string>
Description: Specify a separator character used to construct output field names when multiple data series are used in conjunction with a split-by field.
Default: ::
Syntax: size=<string>
Description: Supply a name to be used for the size of the folder.
Default: totalCount
Syntax: minfolders=<int>
Description: Set the minimum number of folders to group.
Default: 2
Syntax: maxfolders=<int>
Description: Set the maximum number of folders to group.
Default: 20


1. Group results into folders based on URI

Consider the following search.

index=_internal | stats count(uri) by uri

The following image shows the results of the search run using "All Time" for the time range. Many of the results start with /en-US/account. Because of the length of some of the URIs, the image does not show the second column on the far right. That column is the count(uri) column created by the stats command.

Error creating thumbnail: File missing

Using the folderize command you can summarize the URI values into more manageable groupings.

index=_internal | stats count(uri) by uri | folderize size=count(uri) attr=uri sep="/"

The following image shows the URIs grouped into 9 results.

Error creating thumbnail: File missing

In this example, the count(uri) column is the count of the unique URIs that were returned from the stats command. The memberCount column shows the count of the URIs in each group. For example, the /en-US/ URI was found 62 times in the events, as shown in the count(uri) column. When the folderize command arranges the URI into groups, there is only 1 member in the /en-US/ group. Whereas the URIs that start with /services/ occurred 5365 times in the events, but there are only 775 unique members in the /services/* group.


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the folderize command.

Last modified on 14 June, 2018

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 6.5.5

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters