Splunk Search

Table : multi fields

LauraBre
Communicator

Hello,

I have a question about the table. I want to know if we can have a multi dimensions table? We can't do a "count by" with three fields so how we can do it? I want to have a table where we have the number of event by hour in each day of a week for example.

Thx by advance for your answer.

Laura

Tags (2)
0 Karma

Lamar
Splunk Employee
Splunk Employee

Laura,

You might be able to achieve that like this:

...<search>... startdaysago=7 | stats count by date_hour, date_wday

This should return something like this:

count       date_hour       date_wday
231445      15              monday
3343233     16              monday
0 Karma

LauraBre
Communicator

Thx for your answer. I have this following problem:

source="tcp:5544" | eval Transac=case(D_LAB_ERR="TIMEOUT_REACHED" OR D_LAB_ERR="TIMEOUT_REACHED_RECORD","PA Pb fin de session 3D Secure",STAT_VE="NO","VE No",STAT_VE="YES" AND SD_STAT_PA="YES","PA Yes",STAT_VE="YES" AND SD_STAT_PA="ATTEMPT","PA Attempt",STAT_VE="YES" AND SD_STAT_PA="NO", "PA No")|stats count by PURCH_MONTH,PURCH_DATE,Transac

In my search I want to have the Transac in column but with this I have them in line. How can I do to have PURCH_MONTH and PURCH_DATE in line and Transac in column???

Thx by advance,

Laura

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...