https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/566909#M197557 <P>Hello,</P><P>&nbsp;</P><P>I am trying to build a chart based on 3 fields: 2 calculated fields and a simple one:</P><P>|&nbsp; query="select OPEN_FY, OPEN_QUARTER, CLOSURE_FY, VULNERABILITY_LIFECYCLE, SOURCE, LAYER<BR />from table<BR />| [evaluate] DETECTION_TIME=if((OPEN_FY="21/22" AND OPEN_QUARTER ="Q2"),"new" , "old")<BR />| [evaluate]&nbsp; SOURCE=if((SOURCE!="QUALYS-P"), "Confirmed", "Potential")<BR />| chart count(DETECTION_TIME) by SOURCE over(LAYER)</P><P>the last line won't work. I would need to see the total number of vulnerabilities by source by&nbsp; detection time and by layer.</P><P>Is that possible?</P><P>Thanks</P> Mon, 13 Sep 2021 19:18:31 GMT DanielaEstera 2021-09-13T19:18:31Z https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/566909#M197557 <P>Hello,</P><P>&nbsp;</P><P>I am trying to build a chart based on 3 fields: 2 calculated fields and a simple one:</P><P>|&nbsp; query="select OPEN_FY, OPEN_QUARTER, CLOSURE_FY, VULNERABILITY_LIFECYCLE, SOURCE, LAYER<BR />from table<BR />| [evaluate] DETECTION_TIME=if((OPEN_FY="21/22" AND OPEN_QUARTER ="Q2"),"new" , "old")<BR />| [evaluate]&nbsp; SOURCE=if((SOURCE!="QUALYS-P"), "Confirmed", "Potential")<BR />| chart count(DETECTION_TIME) by SOURCE over(LAYER)</P><P>the last line won't work. I would need to see the total number of vulnerabilities by source by&nbsp; detection time and by layer.</P><P>Is that possible?</P><P>Thanks</P> Mon, 13 Sep 2021 19:18:31 GMT https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/566909#M197557 DanielaEstera 2021-09-13T19:18:31Z https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/566915#M197560 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/238398">@DanielaEstera</a>&nbsp;Try using below command:<BR /><SPAN>| chart count(DETECTION_TIME) as&nbsp;DETECTION_TIME over&nbsp;LAYER by SOURCE</SPAN></P> Mon, 13 Sep 2021 20:13:07 GMT https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/566915#M197560 ashvinpandey 2021-09-13T20:13:07Z https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/566943#M197571 <P>Thank you so much&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/199978">@ashvinpandey</a>&nbsp; That worked like a charm!&nbsp;</P> Tue, 14 Sep 2021 06:44:43 GMT https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/566943#M197571 DanielaEstera 2021-09-14T06:44:43Z https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/567278#M197680 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/238398">@DanielaEstera</a>&nbsp;Also, If this solution helps you, an upvote would be appreciated.</P> Thu, 16 Sep 2021 15:25:59 GMT https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/567278#M197680 ashvinpandey 2021-09-16T15:25:59Z https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/568229#M198014 <P>Thank you, once again <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Thu, 23 Sep 2021 12:18:49 GMT https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/568229#M198014 DanielaEstera 2021-09-23T12:18:49Z https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/568233#M198015 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/238398">@DanielaEstera</a>&nbsp;Please mark the solution so that this question can be marked as solved and others can directly look over it, thanks.</P> Thu, 23 Sep 2021 12:30:08 GMT https://community.splunk.com/t5/Splunk-Search/Chart-count-by-3-fields/m-p/568233#M198015 ashvinpandey 2021-09-23T12:30:08Z