Solved: Chart and trellis

prettysunshinez · ‎05-12-2020

Hi All,

Would like to know if something like this will work or will there be any other possible solutions.

Chart count over field1 by field2, field3
And i would want to visualise the chart in trellis mode on the basis of field3.

Kindly suggest.
Thanks in advance

niketn · ‎05-12-2020

@prettysunshinez chart will not allow three field aggregation so you may have to stats with eval {field2}= aggregation

<yourCurrentSearch>
| stats count by field1 field2 field3
| eval {field2}=count
| fields - field2 count

Then choose trellis by field3

Following is a run anywhere example based on Splunk's _internal index that can be used to split by component and display count over date_hour by log_level

index=_internal sourcetype=splunkd log_level!=INFO
| stats count by date_hour log_level component
| eval {log_level}=count
| fields - count log_level

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎05-12-2020

@prettysunshinez chart will not allow three field aggregation so you may have to stats with eval {field2}= aggregation

<yourCurrentSearch>
| stats count by field1 field2 field3
| eval {field2}=count
| fields - field2 count

Then choose trellis by field3

Following is a run anywhere example based on Splunk's _internal index that can be used to split by component and display count over date_hour by log_level

index=_internal sourcetype=splunkd log_level!=INFO
| stats count by date_hour log_level component
| eval {log_level}=count
| fields - count log_level

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

prettysunshinez · ‎05-12-2020

Thank you so much..It helped!!

Chart and trellis

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms