Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counting by one field and then grouping by month?

peksalli
Engager
‎10-25-2012 05:00 AM

Hello!

This question is probably trivial (I'm a newbie) but I just don't seem to be able to adjust my head to think how this is done. I am trying to count occurrences of each event type per month, having this kind of output: 

month    field1    count
01       x         20
01       y         10
01       z         15
02       x         10
02       y         5
02       z         6

There are only about ten different values for field1, but they may change every month, so the values should come from the index.

So far I only have got to this:
source=mysource earliest=-10mon@mon | convert timeformat="%m" ctime(_time) AS month | cluster field="field1" countfield=count |table month, field1, count

Obviously this doesnt' work, as it clusters & counts over all time, not per month.

I have been thinking of using a subsearch like

source="mysource" earliest=-10mon@mon | stats values(field1)
  • which lists the distinct values, but how can I use this result?
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎10-25-2012 05:03 AM

Just using stats with a by clause should do what you want.

... | stats count by month,field1

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎10-25-2012 05:03 AM

Just using stats with a by clause should do what you want.

... | stats count by month,field1
Reply
Solved! Jump to solution

Ayn
Legend
‎10-25-2012 05:41 AM

No problem. If this answer solved your problem, please mark it as accepted. Thanks.

Reply
Solved! Jump to solution

peksalli
Engager
‎10-25-2012 05:22 AM

Thanks, so it was trivial. All the "stats count by" examples I could found had only one parameter after "by".

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...