Re: Table : multi fields

LauraBre · ‎06-19-2012

Hello,

I have a question about the table. I want to know if we can have a multi dimensions table? We can't do a "count by" with three fields so how we can do it? I want to have a table where we have the number of event by hour in each day of a week for example.

Thx by advance for your answer.

Laura

Lamar · ‎06-19-2012

Laura,

You might be able to achieve that like this:

...<search>... startdaysago=7 | stats count by date_hour, date_wday

This should return something like this:

count       date_hour       date_wday
231445      15              monday
3343233     16              monday

LauraBre · ‎06-20-2012

Thx for your answer. I have this following problem:

source="tcp:5544" | eval Transac=case(D_LAB_ERR="TIMEOUT_REACHED" OR D_LAB_ERR="TIMEOUT_REACHED_RECORD","PA Pb fin de session 3D Secure",STAT_VE="NO","VE No",STAT_VE="YES" AND SD_STAT_PA="YES","PA Yes",STAT_VE="YES" AND SD_STAT_PA="ATTEMPT","PA Attempt",STAT_VE="YES" AND SD_STAT_PA="NO", "PA No")|stats count by PURCH_MONTH,PURCH_DATE,Transac

In my search I want to have the Transac in column but with this I have them in line. How can I do to have PURCH_MONTH and PURCH_DATE in line and Transac in column???

Thx by advance,

Laura

Table : multi fields

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?