I have a search that gives me the date and total number of projects:
index=eis_continuous_integration sourcetype=eisci
| timechart span=1d count as projectTypes by SRCProject
| rename _time as Date
|convert timeformat="%m/%d/%Y" ctime(Date)
How can I make it so the results are also sorted by Group ( Group is a field extracted in which its values are ESB, CG, and EG). I'd like to make it so the chart displays a break down of each group by project. When I use ...| timechart span=1d count as projectTypes by SRCProject, Group, Splunk sees ", Group" as an invalid argument.
Do you know how I could modify this query to display the results I'm looking for?
Thanks!
As @aholzer points out, timechart
can have only 1 field after the by
. However, if you want a table, you could do it this way
index=eis_continuous_integration sourcetype=eisci
| bucket span=1d _time as Date
| stats count as projectTypes by Date SRCProject Group
| eval Date = strftime(Date, ""%m/%d/%Y"")
Another alternative is this
index=eis_continuous_integration sourcetype=eisci
| eval ProjectGroup = SRCProject . " - " . Group
| timechart span=1d count as projectTypes by ProjectGroup
| rename _time as Date
| convert timeformat="%m/%d/%Y" ctime(Date)
search |sort group|bucket _time span=1d |chart count by _time,project,group
moreover you can also use stats and make a table of your choice to show on dashboard.
As @aholzer points out, timechart
can have only 1 field after the by
. However, if you want a table, you could do it this way
index=eis_continuous_integration sourcetype=eisci
| bucket span=1d _time as Date
| stats count as projectTypes by Date SRCProject Group
| eval Date = strftime(Date, ""%m/%d/%Y"")
Another alternative is this
index=eis_continuous_integration sourcetype=eisci
| eval ProjectGroup = SRCProject . " - " . Group
| timechart span=1d count as projectTypes by ProjectGroup
| rename _time as Date
| convert timeformat="%m/%d/%Y" ctime(Date)
Maybe a chart with Date, SRCProject,EG,ESB,CG as headers and the values underneath?
Thanks all! I like index=eis_continuous_integration sourcetype=eisci
|search Group="EG"
| bucket span=1d _time as Date
| stats count as totalTypes by Date, SRCProject, Group
| eval Date = strftime(Date, "%m/%d/%Y")
How can I modify this so in the chart in stead of "Group", It shows "EG" as a header, and the value "30" under it. Is that possible?
Timechart only accepts one 'by' field. You wouldn't be able to timechart your results. If you just want a table of results then use stats and you can use as many fields as you want in your 'by'. Then simply add a pipe to a 'sort' to list the fields in decreasing priority how you would like them sorted.
Hope this helps