Splunk Search

How to table the count of each instance of fieldA, but also show fieldB as an additional column next to it for reference?

stage1v8
Engager

Hi all,

I am trying to search some logs that have event_name and event_number. I want to produce a table that shows a count of how many instances of the event_number exist, but also show the event_name field next to it for reference.

So a table with 3 columns:
event_number, event_name, count

I can get one or the other, but not both.
This works for one: index=index1 | chart count by event_number
This works for one: index=index1 | chart count by event_name
This doesn't work: index=index1 | chart count by event_name event_number
Nor this: index=index1 | chart count by event_number | fields event_number event_name count

Does what I am trying to achieve make sense?

Any suggestions?

Thanks

Tags (4)
0 Karma
1 Solution

stage1v8
Engager

After lots of googling, I seem to have answered it myself

index=index1 | stats count(event_name) by event_name event_number | sort event_number

View solution in original post

stage1v8
Engager

After lots of googling, I seem to have answered it myself

index=index1 | stats count(event_name) by event_name event_number | sort event_number

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...