So quite often I end up in a situation where I have four fields. Let's say they're _time, clientip, method and count.
I want to end up with a report that gives me, for each unique combination of _time and clientip, give me the counts for each value of method. The desired results look like this:
| _time | clientip | HEAD | GET | POST |
| 1/17/2014 | 216.34.12.21 | 2 | 213 | 12 |
| 1/17/2014 | 216.34.12.25 | 12 | 59 | 11 |
| etc.... |
In other words I want the _time and clientip field to be my "group-by" fields, grouped the way the stats command groups them. But I want the method field to be my "split-by" field, split out by value the way the chart and timechart command does its "by" field.
If I could do without _time, or without clientip, then this would just be chart count over _time by method
, or chart count over clientip by method
. But I want to have each row be a unique combination of both _time and clientip. (Actually to be honest I quite often want 3 group by fields, not always 2. )
I feel like I want to be able to either
a) tell the chart command | chart count over _time clientip by method
even though the Splunk charting framework will not be able to graph any meaningful visualizations for me. That is fine.
OR
b) have some way for xyseries to handle "chartifying" the stats output.
| stats count by _time clientip method
| xyseries groupby=_time,clientip splitby=method cellvalue=count
The only way I know of to do this, is as follows and I don't like it.
*
| eval timeAndClientIp = _time . "::" . clientip
| chart count over timeAndClientIp by method
| eval _time=mvindex(split(timeAndClientIp,"::"),0)
| eval clientip=mvindex(split(timeAndClientIp,"::"),1)
| fields - timeAndClientIp
You basically glom the two or more fields into one field holding both values. Then you treat that one field as your single group-by field, and then you have 2 or more nasty eval expressions to unpack all the individual field values.