How to get event counts for multiple fields grouped by another field?

splunker1981 — Fri, 24 Jun 2016 15:19:31 GMT

Hello all,

New to Splunk and been trying to figure out this for a while now. Not making much progress, so thought I'd ask the experts. I would like to count events for two fields grouped by another field.

Right now, if I run the following command, I get the results I'm looking for, but the way they are being displayed is not exactly how I would like it.

searchHere | stats count as total by cust_action, account | stats values(cust_action) AS action, values(total) by account

This provides me something like shown below:

 account      action           total
 userA      submitted       4
              resubmitted     1
 userB      submitted       1
              resubmitted      0
 userC      submitted       1
              resubmitted     3
              cancelled     1

What I would like to do is have the column name in the results be the value from cust_action field and put the count below each one by per account

account     submitted     resubmitted     cancelled
userA      4             1               0

userB      1             0               0

userC      1             3               1

Thanks for the help in advanced.

Re: How to get event counts for multiple fields grouped by another field?

somesoni2 — Fri, 24 Jun 2016 15:25:06 GMT

This should do it

searchHere | chart count as total over account by cust_action

Re: How to get event counts for multiple fields grouped by another field?

woodcock — Sat, 25 Jun 2016 02:39:30 GMT

Like this:

searchHere | chart  count BY account cust_action

topic Re: How to get event counts for multiple fields grouped by another field? in Splunk Search

How to get event counts for multiple fields grouped by another field?

Re: How to get event counts for multiple fields grouped by another field?

Re: How to get event counts for multiple fields grouped by another field?