- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Chart over multiple variables
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
day_receive_time="Wed, Oct 25, 2017" device_name="apple" app="mssql-db" bandwidth_consumption="161"
day_receive_time="Wed, Oct 25, 2017" device_name="apple" app="ldap" bandwidth_consumption="146"
day_receive_time="Wed, Oct 25, 2017" device_name="grape" app="syslog" bandwidth_consumption="69"
day_receive_time="Wed, Oct 25, 2017" device_name="grape" app="syslog" bandwidth_consumption="69"
i would like have data in format
device_name app bandwidth_consumption
apple mssql-db 161
ldap 146
syslog 69
grape syslog 69
Unable to create query for same , Can some please help with building query for same .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@atulitm, I feel this is duplicate, I have already answered this question for you : https://answers.splunk.com/answers/586137/how-to-use-chart-command-to-get-data-over-3-variab.html
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@atulitm, I feel this is duplicate, I have already answered this question for you : https://answers.splunk.com/answers/586137/how-to-use-chart-command-to-get-data-over-3-variab.html
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try:
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption BY device_name
Here's some guidance on how to use stats in your searches:
http://docs.splunk.com/Documentation/Splunk/7.0.0/Search/Usethestatscommandandfunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually also i need that data on per day_receive_time variable mention in logs so in other words i will be getting bwconsumption data daily for one device for each app and i want to show that in table per day ... coloum header should be variable
day_receive_time .. unable to create . can you plz help with same
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So perhaps what you need is this:
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by day_receive_time device_name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks , i tried that before but problem is that i need dates to be column header and this query makes them as row .. Also i had tried adding
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by day_receive_time device_name| transpose header_field=device_name | fields - column
but it doesnt work , i need dates as column header where it shows bandwidth_consumption underneath so it shows per app per day stats , so that in one table we could compare how bandwidth_consumption is increasing/decreasing and also if we can have that in chart .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@atulitm, I think your current requirement has changed from the original table that you have posted in your question. Please post a sample updated table as per your need, so that community members can assist.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
device_name app bandwidth_consumption
Wed, Oct 25, 2017 Thurs, Oct 26, 2017
apple mssql-db 161 120
ldap 146 132
syslog 69 85
grape syslog 69 80
Wed, Oct 25, 2017 and Thurs, Oct 26, 2017 you see in output are values of variable "day_receive_time" in log
@niketnilay I am looking for something like this which shows bandwidth_consumption of each app per device per day and also a chart out of it . I tried using stats command , i can get output but not in way i want . thnx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One more thing .. this looks like giving me desired results but problem is it creates column for app too per day where i need to see app and then how much bandwidth_consumption per day as shown above .
index | chart values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by device_name day_receive_time
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
