Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

folderize

Description

Creates a higher-level grouping, such as replacing filenames with directories. Replaces the attr attribute value with a more generic value, which is the result of grouping the attr value with other values from other results, where grouping occurs by tokenizing the attr value on the sep separator value.

For example, the folderize command can group search results, such as those used on the Splunk Web home page, to list hierarchical buckets (e.g. directories or categories). Rather than listing 200 sources, the folderize command breaks the source strings by a separator (e.g. /) and determines if looking only at directories results in the number of results requested.

Syntax

folderize attr=<string> [sep=<string>] [size=<string>] [minfolders=<int>] [maxfolders=<int>]

Arguments

attr
Syntax: attr=<string>
Description: Replaces the attr attribute value with a more generic value, which is the result of grouping it with other values from other results, where grouping occurs by tokenizing the attribute (attr) value on the separator (sep) value.
sep
Syntax: sep=<string>
Description: Specify a separator character used to construct output field names when multiple data series are used in conjunction with a split-by field.
Default: ::
size
Syntax: size=<string>
Description: Supply a name to be used for the size of the folder.
Default: totalCount
minfolders
Syntax: minfolders=<int>
Description: Set the minimum number of folders to group.
Default: 2
maxfolders
Syntax: maxfolders=<int>
Description: Set the maximum number of folders to group.
Default: 20

Examples

1. Group results into folders based on URI

Consider this search.

index=_internal | stats count(uri) by uri

The following image shows the results of the search run using the All Time time range. Many of the results start with /en-US/account. Because some of the URIs are very long, the image does not show the second column on the far right. That column is the count(uri) column created by the stats command.

This image shows the results in a table on the Statistics tab. There are two columns in the results: uri and count(uri). There are thousands of results.

Using the folderize command, you can summarize the URI values into more manageable groupings.

index=_internal | stats count(uri) by uri | folderize size=count(uri) attr=uri sep="/"

The following image shows the URIs grouped in the result set.

This image shows the results in a table on the Statistics tab. There are three columns in the results: uri, count(uri), and memberCount. All of the URIs that begin with /en-US/ are grouped together on one line in the results. In this example, the URIs are grouped into eight results.

In this example, the count(uri) column is the count of the unique URIs that were returned from the stats command. The memberCount column shows the count of the URIs in each group. For example, the /en-US/ URI was found 22 times in the events, as shown in the count(uri) column. When the folderize command arranges the URI into groups, there is only 1 member in the /en-US/ group. Whereas the URIs that start with /services/ occurred 10088 times in the events, but there are only 1648 unique members in the /services/* group.

Last modified on 16 March, 2022
findtypes   foreach

This documentation applies to the following versions of Splunk® Enterprise: 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters