topic Re: How to achieve timechart query group by multiple fields? in Splunk Search

How to achieve timechart query group by multiple fields?

splunkuser320 — Wed, 10 May 2023 17:08:43 GMT

Hi, I am trying to create a line graph where I want to show job status overtime. So I want 1 line for failed and another for passed jobs.

query |
| rex field=event "'job_name': '(?<job_name>.+?)',"
| rex field=event "'job_status': '(?<job_status>.+?)',"
| timechart count by job_status

Above query is grouping by staus all jobs together. I want to split the status by jobs.

Thanks

Re: How to achieve timechart query group by multiple fields?

bowesmana — Wed, 10 May 2023 22:39:08 GMT

The simplest way is to do

Re: How to achieve timechart query group by multiple fields?

acharlieh — Thu, 11 May 2023 00:19:04 GMT

If you watch @alacercogitatus' perennial .conf talk "Lesser Known Search Commands" , another way to achieve this, is through using eval to create fields named for other field values.

For example:

| rex ... | eval JS_{job_status} = 1 | timechart count(JS_*) as * by job_name

Of course I'm assuming there's not many potential values to job_status, or else, oof, that could be a bit brutal for the number of fields... and you can use this trick with any other statistical function here as well...