folderize
Description
Creates a higher-level grouping, such as replacing filenames with directories. Replaces the attr attribute value with a more generic value, which is the result of grouping the attr value with other values from other results, where grouping occurs by tokenizing the attr value on the sep separator value.
For example, the folderize
command can group search results, such as those used on the Splunk Web home page, to list hierarchical buckets (e.g. directories or categories). Rather than listing 200 sources, the folderize
command breaks the source strings by a separator (e.g. /) and determines if looking only at directories results in the number of results requested.
Syntax
folderize attr=<string> [sep=<string>] [size=<string>] [minfolders=<int>] [maxfolders=<int>]
Arguments
- attr
- Syntax: attr=<string>
- Description: Replaces the attr attribute value with a more generic value, which is the result of grouping it with other values from other results, where grouping occurs by tokenizing the attribute (attr) value on the separator (sep) value.
- sep
- Syntax: sep=<string>
- Description: Specify a separator character used to construct output field names when multiple data series are used in conjunction with a split-by field.
- Default: ::
- size
- Syntax: size=<string>
- Description: Supply a name to be used for the size of the folder.
- Default: totalCount
- minfolders
- Syntax: minfolders=<int>
- Description: Set the minimum number of folders to group.
- Default: 2
- maxfolders
- Syntax: maxfolders=<int>
- Description: Set the maximum number of folders to group.
- Default: 20
Examples
1. Group results into folders based on URI
Consider the following search.
index=_internal | stats count(uri) by uri
The following image shows the results of the search run using "All Time" for the time range. Many of the results start with /en-US/account
. Because of the length of some of the URIs, the image does not show the second column on the far right. That column is the count(uri)
column created by the stats
command.
Using the folderize
command you can summarize the URI values into more manageable groupings.
index=_internal | stats count(uri) by uri | folderize size=count(uri) attr=uri sep="/"
The following image shows the URIs grouped into 9 results.
In this example, the count(uri)
column is the count of the unique URIs that were returned from the stats
command. The
memberCount
column shows the count of the URIs in each group. For example, the /en-US/
URI was found 62 times in the events, as shown in the count(uri)
column. When the folderize
command arranges the URI into groups, there is only 1 member in the /en-US/
group. Whereas the URIs that start with /services/
occurred 5365 times in the events, but there are only 775 unique members in the /services/*
group.
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the folderize command.
findtypes | foreach |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0
Feedback submitted, thanks!