i have a table record is
date, product, price
20171015, ABC,10
20171015, CDE,9
20171016, ABC,8
20171017, CDE,10
and i want to point a multi line chart to by Date , product
how can i do that?
Thanks
Try this!
(your search)|chart sum(price) by date,product
thanks, it works, just want to ask when use chart and when use table
i tried table sum(price) by date, product not work.
Thanks
"Table" and "Chart" have very specific meanings in Splunk.
If you create a table with the table command, it does not do anything fancy - it doesn't sum, count or do "work". Instead, all it does is tell Splunk which fields (that already exist) you'd like to display.
The chart command is a whole different kind of command. It's related to the timechart, stats and other commands. They "transform" the output entirely, summarizing rows, calculating averages, or otherwise taking X number of events and making a smaller set of Y information out of them.
You often use the two sets of commands together.
As a sort of silly example, if you run
(your search)|chart sum(price) by date,product
You will get the fields (columns) in a certain order with the sum of price last. If you wanted, say, the sum of the price to be the first column, you could rearrange those results with 'table', like
(your search)|chart sum(price) by date,product | table sum(price), date, product
There's better ways to do that, but I thought an example that you can already run would be the most useful. Try changing the order of the items in the table
command to see what effect they have.
So to put it all together and specifically answer your comment, when you tried to replace the chart
with table
, the field you wanted to display sum(price
no longer existed, because table can't MAKE a field like that, it it only a way to change HOW a field like that may be displayed.
Does that help?
Happy Splunking!
-Rich
Also, I believe the Splunk education course "Fundamentals I" is free to take for everyone - You should do that! It's a great course, go at your own pace, takes about a work-day's worth of work, but should really help with some of this stuff!
Just go here to the Splunk Education pages, sign up for the course, and start Splunking! (And no, they don't really spam your email or anything). BTW that link seems pretty specifically for the "most recent" Edu page, so it may change if you are reading this post in 2018 or later. In that case, just go to Splunk.com and click the "Education" link in the top right menu.
i registered the free course before but didnt finish within 30day, how can i restart the course?
You can not use stats commands with table
you could use |stats sum(price) as price by date product
but the products would be in ine column and not in multiple columns, and the chart wouldn’t be right. The trick is if you are going to have a multi-series chart, use chart
Or timechart
Otherwise, stats
will work