topic How to chart over multiple fields? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-chart-over-multiple-fields/m-p/651957#M225356 <P>my query:<BR /><BR /></P> <LI-CODE lang="markup">index=abd ("start app" AND "app listed") |rex field=_raw "APP:\s+(&lt;application1&gt;\S+)" |rex field=_raw "LLA:\s+\[?&lt;dip&gt;[^\]]+)." |dedup dip |chart over application1 |appendcols [|search index=abd ("POST /ui/logs" OR "POST /ui/data" OR "POST /ui/vi/reg") AND "state: complete" |rex field=_raw "APP: (?&lt;application2&gt;\w+)" |rex field=_raw "LLA:\s+\[?&lt;dip&gt;[^\]]+)." |dedup dip |chart over application2</LI-CODE> <P><BR /><BR /><BR />i want output as shown below: HOW TO GET THIS??</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="25%" height="24px">application1</TD> <TD width="25%" height="24px">count</TD> <TD width="25%" height="24px">application2</TD> <TD width="25%" height="24px">count</TD> </TR> <TR> <TD width="25%" height="24px">L1</TD> <TD width="25%" height="24px">10</TD> <TD width="25%" height="24px">L1</TD> <TD width="25%" height="24px">15</TD> </TR> <TR> <TD width="25%" height="24px">M2</TD> <TD width="25%" height="24px">20</TD> <TD width="25%" height="24px">M2</TD> <TD width="25%" height="24px">4</TD> </TR> <TR> <TD width="25%" height="24px">L3</TD> <TD width="25%" height="24px">45</TD> <TD width="25%" height="24px">L3</TD> <TD width="25%" height="24px">100</TD> </TR> </TBODY> </TABLE> Tue, 25 Jul 2023 18:37:47 GMT mahesh27 2023-07-25T18:37:47Z How to chart over multiple fields? https://community.splunk.com/t5/Splunk-Search/How-to-chart-over-multiple-fields/m-p/651957#M225356 <P>my query:<BR /><BR /></P> <LI-CODE lang="markup">index=abd ("start app" AND "app listed") |rex field=_raw "APP:\s+(&lt;application1&gt;\S+)" |rex field=_raw "LLA:\s+\[?&lt;dip&gt;[^\]]+)." |dedup dip |chart over application1 |appendcols [|search index=abd ("POST /ui/logs" OR "POST /ui/data" OR "POST /ui/vi/reg") AND "state: complete" |rex field=_raw "APP: (?&lt;application2&gt;\w+)" |rex field=_raw "LLA:\s+\[?&lt;dip&gt;[^\]]+)." |dedup dip |chart over application2</LI-CODE> <P><BR /><BR /><BR />i want output as shown below: HOW TO GET THIS??</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="25%" height="24px">application1</TD> <TD width="25%" height="24px">count</TD> <TD width="25%" height="24px">application2</TD> <TD width="25%" height="24px">count</TD> </TR> <TR> <TD width="25%" height="24px">L1</TD> <TD width="25%" height="24px">10</TD> <TD width="25%" height="24px">L1</TD> <TD width="25%" height="24px">15</TD> </TR> <TR> <TD width="25%" height="24px">M2</TD> <TD width="25%" height="24px">20</TD> <TD width="25%" height="24px">M2</TD> <TD width="25%" height="24px">4</TD> </TR> <TR> <TD width="25%" height="24px">L3</TD> <TD width="25%" height="24px">45</TD> <TD width="25%" height="24px">L3</TD> <TD width="25%" height="24px">100</TD> </TR> </TBODY> </TABLE> Tue, 25 Jul 2023 18:37:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-over-multiple-fields/m-p/651957#M225356 mahesh27 2023-07-25T18:37:47Z Re: chart over multiple fields https://community.splunk.com/t5/Splunk-Search/How-to-chart-over-multiple-fields/m-p/651959#M225357 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249143">@mahesh27</a>&nbsp;,</P><P>have application1 and application2 the same values? and you want the count of each value in application1 and application2?</P><P>if yes, you could try something like this:</P><LI-CODE lang="markup">index=abd ("start app" AND "app listed") OR (("POST /ui/logs" OR "POST /ui/data" OR "POST /ui/vi/reg") "state: complete") | rex field=_raw "APP:\s+(&lt;application&gt;\S+)" | rex field=_raw "LLA:\s+\[?&lt;dip&gt;[^\]]+)." | eval app=if(searchmatch("state: complete"),"application2","application1" | chart count(eval(app="application1")) AS application1 count(eval(app="application2")) AS application2 BY application</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 25 Jul 2023 18:01:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-over-multiple-fields/m-p/651959#M225357 gcusello 2023-07-25T18:01:51Z Re: chart over multiple fields https://community.splunk.com/t5/Splunk-Search/How-to-chart-over-multiple-fields/m-p/651968#M225360 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;, application 1 and application 2 has same application names but different counts, so i want to get the application names and count separately for each application.<BR /><BR />i tried the query which you provided i am not getting any results.</P> Tue, 25 Jul 2023 18:17:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-over-multiple-fields/m-p/651968#M225360 mahesh27 2023-07-25T18:17:38Z Re: chart over multiple fields https://community.splunk.com/t5/Splunk-Search/How-to-chart-over-multiple-fields/m-p/651989#M225370 <P>Have you accounted for some syntax errors? &nbsp;A valid search would look like</P><LI-CODE lang="markup">index=abd ( ("start app" AND "app listed") OR ("POST /ui/logs" OR "POST /ui/data" OR "POST /ui/vi/reg") AND "state: complete") | rex field=_raw "APP:\s+(?&lt;application&gt;\S+)" | rex field=_raw "LLA:\s+\[(?&lt;dip&gt;[^\]]+)." | dedup dip | eval app=if(searchmatch("state: complete"),"application2","application1") | chart count(eval(app="application1")) AS application1 count(eval(app="application2")) AS application2 BY application</LI-CODE><P>If there is no output, it simply means that&nbsp;<FONT face="courier new,courier">| rex field=_raw "APP:\s+(?&lt;application&gt;\S+)"</FONT>&nbsp;(which <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;copied from your sample code) extracts nothing. &nbsp;You need to examine your raw data and find out what is the correct regex. &nbsp;Alternatively, you will need to post data samples to get help on regex.</P> Tue, 25 Jul 2023 23:28:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-over-multiple-fields/m-p/651989#M225370 yuanliu 2023-07-25T23:28:19Z Re: chart over multiple fields https://community.splunk.com/t5/Splunk-Search/How-to-chart-over-multiple-fields/m-p/652089#M225393 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249143">@mahesh27</a>&nbsp;</P><P>with my solution, you have a different count for application1 and application2.</P><P>the issue should be on the regexes, could you share some samples from application1 and application2?</P><P>Ciao.</P><P>Giuseppe</P> Wed, 26 Jul 2023 15:40:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-over-multiple-fields/m-p/652089#M225393 gcusello 2023-07-26T15:40:09Z