Solved: Counting by one field and then grouping by month?

peksalli · ‎10-25-2012

Hello!

This question is probably trivial (I'm a newbie) but I just don't seem to be able to adjust my head to think how this is done. I am trying to count occurrences of each event type per month, having this kind of output:

month    field1    count
01       x         20
01       y         10
01       z         15
02       x         10
02       y         5
02       z         6

There are only about ten different values for field1, but they may change every month, so the values should come from the index.

So far I only have got to this:
source=mysource earliest=-10mon@mon | convert timeformat="%m" ctime(_time) AS month | cluster field="field1" countfield=count |table month, field1, count

Obviously this doesnt' work, as it clusters & counts over all time, not per month.

I have been thinking of using a subsearch like

source="mysource" earliest=-10mon@mon | stats values(field1)

which lists the distinct values, but how can I use this result?

Ayn · ‎10-25-2012

Just using stats with a by clause should do what you want.

... | stats count by month,field1

View solution in original post

Ayn · ‎10-25-2012

Just using stats with a by clause should do what you want.

... | stats count by month,field1

Ayn · ‎10-25-2012

No problem. If this answer solved your problem, please mark it as accepted. Thanks.

peksalli · ‎10-25-2012

Thanks, so it was trivial. All the "stats count by" examples I could found had only one parameter after "by".

Counting by one field and then grouping by month?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes