Splunk Search

count of a field, and then sort by day

barneser
Engager

Im looking to count by a field and that works with first part of syntex , then sort it by date.
both work independantly ,but not together.

Any ideas?

index=profile_new| stats count(cn1) by cs2 | stats count as daycount by date_mday

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@barneser

Can you please share more details with sample output?? meanwhile can you please try this ?

index=profile_new | chart count(cn1) over date_mday by cs2 | sort date_mday

gcusello
SplunkTrust
SplunkTrust

Hi @barneser,
after a stats command, you have only the fields that you used in the stats command.
So in your example, after the first stats command you have only count(cn1) and cs2, you haven't more date_mday or other fields.
If you need another field you have to add it to stats command using values or earliest (for dates).
For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Stats .

Anyway, if you could describe better what you want to have as result, I could help you, because I don't understand your requisite.

In other words, if you run a statistic for cs2, what do you mean with "sort by date"?

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...