topic Re: Unable to get field value wise segregation count through stats and timechart in Splunk Search https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516893#M145305 <P>Got the answer with the below</P><LI-SPOILER>sourcetype=access_combined | eval action = if(isnull(action) OR action="", "unknown", action) | bin span=72h _time | stats count as totals by action, span(=_time,72h) | sort -_time,action​</LI-SPOILER> Sun, 30 Aug 2020 06:52:32 GMT obularajud16 2020-08-30T06:52:32Z Field values https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516839#M145284 <UL><LI>&nbsp;</LI></UL><P>&nbsp;</P><P>Ghj</P><LI-CODE lang="markup">sourcetype=access_combined | eval action = if(isnull(action) OR action="", "Unknown", action) | timechart span=40h values(action),count(action)</LI-CODE><P>&nbsp;</P> Thu, 03 Sep 2020 04:25:45 GMT https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516839#M145284 obularajud16 2020-09-03T04:25:45Z Re: Unable to get field value wise segregation count through stats and timechart https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516842#M145285 <P>sourcetype=access_combined | eval action = if(isnull(action) OR action="", "Unknown", action) | timechart span=40h count by action</P> Sat, 29 Aug 2020 09:39:40 GMT https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516842#M145285 to4kawa 2020-08-29T09:39:40Z Re: Unable to get field value wise segregation count through stats and timechart https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516851#M145287 <P>As I mentioned, i need data in row format not in column format to group by multiple fields</P><P>&nbsp;</P><P>timechart span=40h count by action, status</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 29 Aug 2020 11:27:43 GMT https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516851#M145287 obularajud16 2020-08-29T11:27:43Z Re: Unable to get field value wise segregation count through stats and timechart https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516854#M145290 <P>Easiest way is combine those values like:</P><P>eval a_s = action . "-".status&nbsp;</P><P>| timechart span=40h count by a_s</P><P>&nbsp;</P><P>Otherwise you must start to play with bin + stats/chart/xyseries</P><P>r. Ismo</P> Sat, 29 Aug 2020 12:08:16 GMT https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516854#M145290 isoutamo 2020-08-29T12:08:16Z Re: Unable to get field value wise segregation count through stats and timechart https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516868#M145296 <LI-CODE lang="markup">sourcetype=access_combined | eval action = if(isnull(action) OR action="", "Unknown", action) | bin _time span=40h | chart count over _time by action</LI-CODE> Sat, 29 Aug 2020 16:19:07 GMT https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516868#M145296 thambisetty 2020-08-29T16:19:07Z Re: Unable to get field value wise segregation count through stats and timechart https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516893#M145305 <P>Got the answer with the below</P><LI-SPOILER>sourcetype=access_combined | eval action = if(isnull(action) OR action="", "unknown", action) | bin span=72h _time | stats count as totals by action, span(=_time,72h) | sort -_time,action​</LI-SPOILER> Sun, 30 Aug 2020 06:52:32 GMT https://community.splunk.com/t5/Splunk-Search/Field-values/m-p/516893#M145305 obularajud16 2020-08-30T06:52:32Z