Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I display results grouped by two field values and then display a count over a 7 day period with span=1d

thomasaju
New Member
‎06-27-2016 05:24 PM

So I have a data set and with some splunk magic, I was able to display the results in the following format:
query:

..... | stats count by error, state | sort count | chart list(error) as error, list(count) as count by state

Results:

    State   error           Count
    -----   -----           -----
    CA     21102           69
             42112           32
             10551           45
             81092           15
             10453           18
    VA     21102           18
             42112           10
             10551           16
             81092           19
             10453           12
    WA     21102           17
             42112           11
             81092           31
             10453           10

What I would like to see is the count over last 7 days which would give me the results like below:

    State   error           06/24        06/25       06/26        06/27
    -----   -----           -----        -----       -----        -----
    CA     21102           11           19           21           21
             42112           11           12           12           15
             10551           11           12           14           17
             81092           16           13           15           19
             10453           11           17           18           11
    VA     21102           11           19           21           21
             42112           11           12           12           15
             10551           11           12           14           17
             81092           16           13           15           19
             10453           11           17           18           11
    WA     21102           11           19           21           21
             42112           11           12           12           15
             81092           16           13           15           19
             10453           11           17           18           11

Basically splitting the count by date.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-27-2016 06:55 PM

See if this gives you what you're looking for

..... | eval stateerror=state."#".error | bin span=1d _time as time | eval time=strftime(time, "%,/%d") | chart count over stateerror by time | rex field=stateerror "(?<State>[^#]+)#(?<Error>\d+)" | fields -stateerror

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-27-2016 06:55 PM

See if this gives you what you're looking for

..... | eval stateerror=state."#".error | bin span=1d _time as time | eval time=strftime(time, "%,/%d") | chart count over stateerror by time | rex field=stateerror "(?<State>[^#]+)#(?<Error>\d+)" | fields -stateerror
0 Karma
Reply
Solved! Jump to solution

thomasaju
New Member
‎06-28-2016 07:20 AM

thanks @sundareshr. The query does give me the results like below:

        State   error           06/24        06/25       06/26        06/27
        -----   -----           -----        -----       -----        -----
        CA     21102           11           19           21           21
        CA       42112           11           12           12           15
        CA       10551           11           12           14           17
        CA       81092           16           13           15           19
        CA       10453           11           17           18           11
        VA     21102           11           19           21           21
        VA       42112           11           12           12           15
        VA       10551           11           12           14           17
        VA       81092           16           13           15           19
        VA       10453           11           17           18           11
        WA     21102           11           19           21           21
        WA       42112           11           12           12           15
        WA       81092           16           13           15           19
        WA       10453           11           17           18           11

But it's not grouping the state as I've shown in my original post. Is it possible that I can group the state values together?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-28-2016 06:48 PM

Add this to the end

| stats values(*) as * by State
0 Karma
Reply
Solved! Jump to solution

thomasaju
New Member
‎06-29-2016 02:05 AM

This works. Though I ended up using. Thanks for the help, @sundareshr

| stats list(*) as * by State
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...