How do I do a stats count for 2 diffrent interesti...

svemurilv · ‎08-25-2017

am in a situation, I have 2 Interesting Fields Field1 has A,B values and Field2 has again A,B values I just want to generate the report like
rename the Field1-A as Mobile and Field1-B AS desktop and Field2-A as chrome and Field2-B as IE and then the report would be like

                   Desktop   |   Mobile | total      | Chrome        | IE |total
 _time   |        10      |    12    |   22        |      20       | 4  |  24

how would it possible?

DalJeanis · ‎08-25-2017

Run anywhere sample

| makeresults 
| eval mydata="Desktop,IE Desktop,Chrome Desktop,Chrome Mobile,Chrome Mobile,IE Mobile,Chrome Mobile,Chrome Mobile,Opera"
| makemv mydata 
| mvexpand mydata 
| rex field=mydata "(?<Field1>[^,]*),(?<Field2>.*)"
| rename COMMENT as "the above generates test data"

| fields Field1 Field2
| appendpipe 
     [| stats count as MyCount by Field1 
      | eval MyField="F1__".Field1 
      | table MyField MyCount 
      | addtotals row=f col=t labelfield=MyField label="F1_total" 
      | eval rectype="Summary"
      ]
| appendpipe 
    [| where isnull(rectype)|stats count as MyCount by Field2 
     | eval MyField="F2__".Field2 
     | table MyField MyCount 
     | addtotals row=f col=t labelfield=MyField label="F2_total" 
      | eval rectype="Summary"
      ]
| chart sum(MyCount) as count by rectype MyField

Notes - the lower case t on totals is required to force sorting to the right of the related columns.

cmerriman · ‎08-25-2017

can you share your current query and/or a sample or the data output for your two fields? it would be easier to come up with a solution if the community could see the data/query before reaching the expected output.

How do I do a stats count for 2 diffrent interesting fields?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!