Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timechart involving multiple "group by"

mumblingsages
Path Finder
‎08-11-2017 06:36 PM

I've given all my data 1 of 3 possible event types. In addition, each event has a field "foo" (which contains roughly 3 values).

What I want to do is....
-For each value in field foo
-count the number of occurrences for each event type
-Plot those counts over time.

I would expect that the resultant timechart would have ~3^3 lines with data points for each day.

How would I do this?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-11-2017 07:33 PM

Like this:

Your Base Search Here
| eval foo2 = eventtype . "/" . foo
| timechart count BY foo2

Provided eventtype is never multi-valued.

0 Karma
Reply

mumblingsages
Path Finder
‎08-15-2017 10:45 AM

This would have worked absolutely perfectly if each of my events didn't have multiple event types assigned to them.

0 Karma
Reply

sbbadri
Motivator
‎08-11-2017 07:15 PM

... | bucket span=1d _time | chart count(eventtype) over foo by _time

0 Karma
Reply

mumblingsages
Path Finder
‎08-11-2017 07:32 PM

Perfect!!! Thanks a ton!!!

0 Karma
Reply

mumblingsages
Path Finder
‎08-11-2017 07:43 PM

Actually, thats not quite right. I'd be expecting ~36 different line and I'm not....

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...