https://community.splunk.com/t5/Splunk-Search/How-to-show-stats-count-grouped-by-two-fields-in-a-graph/m-p/286007#M86549 <P>I have 3 Ticket groups A, B, and C. And multiple users. My system logs every ticket purchased under each ticket group by each user as below. Every ticket purchase will have the below entry and exit log and user name in between.</P> <P>Entry Ticket system TicketgrpA ticketnbr = 1232424<BR /> SalesUser = user1<BR /> Exit Ticket system TicketgrpA ticketnbr = 1232424</P> <P>Entry Ticket system TicketgrpB ticketnbr = 1234353<BR /> SalesUser = user1<BR /> ExitTicket system TicketgrpB ticketnbr = 1234353</P> <P>Entry Ticket system TicketgrpC ticketnbr = 1232434<BR /> SalesUser = user4<BR /> Exit Ticket system TicketgrpC ticketnbr = 1232434</P> <P>I would like to show in a graph - Number of tickets purchased by each user under each group. <BR /> Y axis - Count<BR /> X axis - Users grouped by ticketGrp</P> <P>TKTSYS* will fetch all the event logs - entry, exit and Sales User. I used below query and it is showing under statistics as below but not showing ticketgrp in the graph. counts are showing combined for all ticketgroups for each user. I want to display them so that each ticket group count is shown grouped for each user.</P> <PRE><CODE>SalesUser ticketgrp Count user1 A 1 user2 B 2 index=jra_app_events sourcetype=eventing appVersion=TKTSYS TKTSYS* | transaction startswith="Entry Ticket system " endswith="Exit Ticket system" | eval ticketgrp=case(like(_raw, "%TicketgrpA%"), "A", like(_raw, "%TicketgrpB%"), "B", like(_raw, "%TicketgrpC%"), "C") | stats count by SalesUser, ticketgrp </CODE></PRE> <P>Any help would highly appreciated. Thanks.</P> Thu, 07 Apr 2016 16:29:15 GMT cseuser 2016-04-07T16:29:15Z https://community.splunk.com/t5/Splunk-Search/How-to-show-stats-count-grouped-by-two-fields-in-a-graph/m-p/286007#M86549 <P>I have 3 Ticket groups A, B, and C. And multiple users. My system logs every ticket purchased under each ticket group by each user as below. Every ticket purchase will have the below entry and exit log and user name in between.</P> <P>Entry Ticket system TicketgrpA ticketnbr = 1232424<BR /> SalesUser = user1<BR /> Exit Ticket system TicketgrpA ticketnbr = 1232424</P> <P>Entry Ticket system TicketgrpB ticketnbr = 1234353<BR /> SalesUser = user1<BR /> ExitTicket system TicketgrpB ticketnbr = 1234353</P> <P>Entry Ticket system TicketgrpC ticketnbr = 1232434<BR /> SalesUser = user4<BR /> Exit Ticket system TicketgrpC ticketnbr = 1232434</P> <P>I would like to show in a graph - Number of tickets purchased by each user under each group. <BR /> Y axis - Count<BR /> X axis - Users grouped by ticketGrp</P> <P>TKTSYS* will fetch all the event logs - entry, exit and Sales User. I used below query and it is showing under statistics as below but not showing ticketgrp in the graph. counts are showing combined for all ticketgroups for each user. I want to display them so that each ticket group count is shown grouped for each user.</P> <PRE><CODE>SalesUser ticketgrp Count user1 A 1 user2 B 2 index=jra_app_events sourcetype=eventing appVersion=TKTSYS TKTSYS* | transaction startswith="Entry Ticket system " endswith="Exit Ticket system" | eval ticketgrp=case(like(_raw, "%TicketgrpA%"), "A", like(_raw, "%TicketgrpB%"), "B", like(_raw, "%TicketgrpC%"), "C") | stats count by SalesUser, ticketgrp </CODE></PRE> <P>Any help would highly appreciated. Thanks.</P> Thu, 07 Apr 2016 16:29:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-stats-count-grouped-by-two-fields-in-a-graph/m-p/286007#M86549 cseuser 2016-04-07T16:29:15Z https://community.splunk.com/t5/Splunk-Search/How-to-show-stats-count-grouped-by-two-fields-in-a-graph/m-p/286008#M86550 <P>Try this</P> <PRE><CODE>index=jra_app_events sourcetype=eventing appVersion=TKTSYS TKTSYS* | transaction startswith="Entry Ticket system " endswith="Exit Ticket system" | eval ticketgrp=case(like(_raw, "%TicketgrpA%"), "A", like(_raw, "%TicketgrpB%"), "B", like(_raw, "%TicketgrpC%"), "C",1==1,"No Match") | chart count by SalesUser, ticketgrp </CODE></PRE> <P>Just use chart instead of stats</P> Thu, 07 Apr 2016 16:40:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-stats-count-grouped-by-two-fields-in-a-graph/m-p/286008#M86550 lguinn2 2016-04-07T16:40:54Z https://community.splunk.com/t5/Splunk-Search/How-to-show-stats-count-grouped-by-two-fields-in-a-graph/m-p/286009#M86551 <P>Try this</P> <PRE><CODE>.... | chart count over Users by ticketGrp </CODE></PRE> Thu, 07 Apr 2016 16:41:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-stats-count-grouped-by-two-fields-in-a-graph/m-p/286009#M86551 sundareshr 2016-04-07T16:41:20Z https://community.splunk.com/t5/Splunk-Search/How-to-show-stats-count-grouped-by-two-fields-in-a-graph/m-p/286010#M86552 <P>This gave the exact graph I was looking for. Thanks very much.</P> Thu, 07 Apr 2016 16:54:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-stats-count-grouped-by-two-fields-in-a-graph/m-p/286010#M86552 cseuser 2016-04-07T16:54:21Z