Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What's a good way to basically end up with more than 1 group-by field in the chart command

sideview
SplunkTrust
SplunkTrust
‎01-17-2014 04:33 PM

So quite often I end up in a situation where I have four fields. Let's say they're _time, clientip, method and count.

I want to end up with a report that gives me, for each unique combination of _time and clientip, give me the counts for each value of method. The desired results look like this: 

|  _time      |  clientip     | HEAD |  GET   | POST   |
|  1/17/2014  | 216.34.12.21  |   2  |  213   |  12    |
|  1/17/2014  | 216.34.12.25  |  12  |   59   |  11    |
|  etc....                                             |

In other words I want the _time and clientip field to be my "group-by" fields, grouped the way the stats command groups them. But I want the method field to be my "split-by" field, split out by value the way the chart and timechart command does its "by" field.

If I could do without _time, or without clientip, then this would just be chart count over _time by method, or chart count over clientip by method. But I want to have each row be a unique combination of both _time and clientip. (Actually to be honest I quite often want 3 group by fields, not always 2. )

I feel like I want to be able to either

a) tell the chart command | chart count over _time clientip by method

even though the Splunk charting framework will not be able to graph any meaningful visualizations for me. That is fine.

OR

b) have some way for xyseries to handle "chartifying" the stats output. 

| stats count by _time clientip method
| xyseries groupby=_time,clientip splitby=method cellvalue=count
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎01-17-2014 04:57 PM

The only way I know of to do this, is as follows and I don't like it. 

*
| eval timeAndClientIp = _time . "::" . clientip
| chart count over timeAndClientIp by method
| eval _time=mvindex(split(timeAndClientIp,"::"),0)
| eval clientip=mvindex(split(timeAndClientIp,"::"),1)
| fields - timeAndClientIp

You basically glom the two or more fields into one field holding both values. Then you treat that one field as your single group-by field, and then you have 2 or more nasty eval expressions to unpack all the individual field values.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...