Splunk Search

How to get event counts for multiple fields grouped by another field?

splunker1981
Path Finder

Hello all,

New to Splunk and been trying to figure out this for a while now. Not making much progress, so thought I'd ask the experts. I would like to count events for two fields grouped by another field.

Right now, if I run the following command, I get the results I'm looking for, but the way they are being displayed is not exactly how I would like it.

searchHere | stats count as total by cust_action, account | stats values(cust_action) AS action, values(total) by account

This provides me something like shown below:

 account      action           total
 userA      submitted       4
              resubmitted     1
 userB      submitted       1
              resubmitted      0
 userC      submitted       1
              resubmitted     3
              cancelled     1

What I would like to do is have the column name in the results be the value from cust_action field and put the count below each one by per account

account     submitted     resubmitted     cancelled
userA      4             1               0

userB      1             0               0

userC      1             3               1

Thanks for the help in advanced.

Tags (3)
1 Solution

somesoni2
Revered Legend

This should do it

searchHere | chart count as total over account by cust_action

View solution in original post

woodcock
Esteemed Legend

Like this:

searchHere | chart  count BY account cust_action
0 Karma

somesoni2
Revered Legend

This should do it

searchHere | chart count as total over account by cust_action
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...