Splunk Search

1 column have mutli

kennethyeung
New Member

i have a table record is
date, product, price
20171015, ABC,10
20171015, CDE,9
20171016, ABC,8
20171017, CDE,10

and i want to point a multi line chart to by Date , product
how can i do that?
Thanks

0 Karma

HiroshiSatoh
Champion

Try this!

(your search)|chart sum(price) by date,product

0 Karma

kennethyeung
New Member

thanks, it works, just want to ask when use chart and when use table
i tried table sum(price) by date, product not work.

Thanks

0 Karma

Richfez
SplunkTrust
SplunkTrust

"Table" and "Chart" have very specific meanings in Splunk.

If you create a table with the table command, it does not do anything fancy - it doesn't sum, count or do "work". Instead, all it does is tell Splunk which fields (that already exist) you'd like to display.

The chart command is a whole different kind of command. It's related to the timechart, stats and other commands. They "transform" the output entirely, summarizing rows, calculating averages, or otherwise taking X number of events and making a smaller set of Y information out of them.

You often use the two sets of commands together.

As a sort of silly example, if you run

(your search)|chart sum(price) by date,product

You will get the fields (columns) in a certain order with the sum of price last. If you wanted, say, the sum of the price to be the first column, you could rearrange those results with 'table', like

(your search)|chart sum(price) by date,product | table sum(price), date, product

There's better ways to do that, but I thought an example that you can already run would be the most useful. Try changing the order of the items in the table command to see what effect they have.

So to put it all together and specifically answer your comment, when you tried to replace the chart with table, the field you wanted to display sum(price no longer existed, because table can't MAKE a field like that, it it only a way to change HOW a field like that may be displayed.

Does that help?

Happy Splunking!
-Rich

0 Karma

Richfez
SplunkTrust
SplunkTrust

Also, I believe the Splunk education course "Fundamentals I" is free to take for everyone - You should do that! It's a great course, go at your own pace, takes about a work-day's worth of work, but should really help with some of this stuff!

Just go here to the Splunk Education pages, sign up for the course, and start Splunking! (And no, they don't really spam your email or anything). BTW that link seems pretty specifically for the "most recent" Edu page, so it may change if you are reading this post in 2018 or later. In that case, just go to Splunk.com and click the "Education" link in the top right menu.

0 Karma

kennethyeung
New Member

i registered the free course before but didnt finish within 30day, how can i restart the course?

0 Karma

cmerriman
Super Champion

You can not use stats commands with table you could use |stats sum(price) as price by date product but the products would be in ine column and not in multiple columns, and the chart wouldn’t be right. The trick is if you are going to have a multi-series chart, use chart Or timechart Otherwise, stats will work

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...