Splunk Search

How do I add a field to my chart?

ttoine
Explorer

I am working on a graph in order to identify the most pinging customer accounts (traffic optimization, security). I would like to add the field clientip (relative to the customer-account, of course) in another column.

The top would be to have the graph, and when I pass the mouse over a bar, it should display the customer-account and the clientip. But if I can have at least the graph and the data below, that would be good enough.

| chart count BY customer-account | sort -count |head 50

I tried many ways, but I have an error, or no match. I don't see how to do that. Is it possible?

Tags (2)
0 Karma
1 Solution

ttoine
Explorer

So I did it this is way to have the column I want.

| chart mode(clientip) AS ip_adress, count BY customer-account | sort -count | head 50

I use mode in case a customer account have more than one clientip in the events. (e.g someone using a smartphone or a laptop).

Now I need to find how to keep clientip in the statistics, but remove it from the visualization (or display it in an other way. But this is another question.

View solution in original post

0 Karma

ttoine
Explorer

So I did it this is way to have the column I want.

| chart mode(clientip) AS ip_adress, count BY customer-account | sort -count | head 50

I use mode in case a customer account have more than one clientip in the events. (e.g someone using a smartphone or a laptop).

Now I need to find how to keep clientip in the statistics, but remove it from the visualization (or display it in an other way. But this is another question.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

your base search | eval customer-account='customer-account'.":".clientip  | chart count BY customer-account | sort -count |head 50

OR

your base search | chart count over customer-account by clientip | addtotals | sort -Total | head 50
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...