https://community.splunk.com/t5/Splunk-Search/Multiple-grouping-ofdata-over-chart/m-p/300374#M90431 <P>index="index" sourcetype="defects" (STATE="Closed" OR STATE="Retest Complete") DETECTED_IN_RELEASE="<EM>" SEVERITY="</EM>" ENVIRONMENT=D000002 OR ENVIRONMENT=D000007 OR ENVIRONMENT=Prod OR ENVIRONMENT=Production|sort DETECTED_IN_RELEASE |stats count(eval(ENVIRONMENT= "D000002" OR ENVIRONMENT="D000007")) as PPROD_IND count(eval(ENVIRONMENT="Prod" OR ENVIRONMENT="Production")) as PROD_IND by DETECTED_IN_RELEASE SEVERITY | stats sum(PPROD_IND) as TOT_PPROD sum(PROD_IND) as TOT_PROD by DETECTED_IN_RELEASE SEVERITY<BR /> | eval DRE%=round(TOT_PPROD/(TOT_PPROD+TOT_PROD)*100,1)<BR /> |rename DETECTED_IN_RELEASE as Release<BR /> | chart sum(TOT_PPROD) as PPROD sum(TOT_PROD) as PROD over Release by SEVERITY </P> <P>This is the query i am using but I am not able to dispaly DIE% as overlay field and also I need further classiifcation of Release i.e consider there are releases ab,cd,de,ef chart should display the fields in this format</P> <P>PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod<BR /> Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3<BR /> ab cd ef</P> Tue, 29 Sep 2020 17:36:24 GMT ujwalagangakoth 2020-09-29T17:36:24Z https://community.splunk.com/t5/Splunk-Search/Multiple-grouping-ofdata-over-chart/m-p/300372#M90429 <P><IMG src="https://community.splunk.com/storage/temp/226688-chart.png" alt="alt text" />I have to group defects based on severity and again based on release.the chart should contain multiple grouping first by severity then by release.I have two envs prod and pre prod .I have to group preprod and prod based on severity i.e for sev1 we need preprod and prod grouping same goes for sev2 and sev3 ,then these sev1,sev2,sev3 will be again grouped by release. so in chart , i need release wise grouping and in each release ,each severit contains prod and pre prod <BR /> index="index" sourcetype="defects" (STATE="Closed" OR STATE="Retest Complete") DETECTED_IN_RELEASE="<EM>" SEVERITY="</EM>" ENVIRONMENT=D000002 OR ENVIRONMENT=D000007 OR ENVIRONMENT=Prod OR ENVIRONMENT=Production|sort DETECTED_IN_RELEASE |stats count(eval(ENVIRONMENT= "D000002" OR ENVIRONMENT="D000007")) as PPROD_IND count(eval(ENVIRONMENT="Prod" OR ENVIRONMENT="Production")) as PROD_IND by DETECTED_IN_RELEASE SEVERITY | stats sum(PPROD_IND) as TOT_PPROD sum(PROD_IND) as TOT_PROD by DETECTED_IN_RELEASE SEVERITY<BR /> | eval DRE%=round(TOT_PPROD/(TOT_PPROD+TOT_PROD)*100,1)<BR /> |rename DETECTED_IN_RELEASE as Release<BR /> | chart sum(TOT_PPROD) as PPROD sum(TOT_PROD) as PROD over Release by SEVERITY </P> <P>This is the query i am using but I am not able to dispaly DIE% as overlay field and also I need further classiifcation of Release i.e consider there are releases ab,cd,de,ef chart should display the fields in this format in three level grouping</P> <P>PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod (env grouping)<BR /> Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3 (severity grouping)<BR /> ab cd ef (release grouping)</P> Tue, 29 Sep 2020 17:36:09 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-grouping-ofdata-over-chart/m-p/300372#M90429 ujwalagangakoth 2020-09-29T17:36:09Z https://community.splunk.com/t5/Splunk-Search/Multiple-grouping-ofdata-over-chart/m-p/300373#M90430 <P>hey if you give us sample input event and output you want to achieve then it would be good.<BR /> Meanwhile try this</P> <PRE><CODE>index=your_index | stats count as no_of_defects by prod_environment severity release </CODE></PRE> <P>let me know if this helps you!</P> Wed, 10 Jan 2018 12:45:28 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-grouping-ofdata-over-chart/m-p/300373#M90430 mayurr98 2018-01-10T12:45:28Z https://community.splunk.com/t5/Splunk-Search/Multiple-grouping-ofdata-over-chart/m-p/300374#M90431 <P>index="index" sourcetype="defects" (STATE="Closed" OR STATE="Retest Complete") DETECTED_IN_RELEASE="<EM>" SEVERITY="</EM>" ENVIRONMENT=D000002 OR ENVIRONMENT=D000007 OR ENVIRONMENT=Prod OR ENVIRONMENT=Production|sort DETECTED_IN_RELEASE |stats count(eval(ENVIRONMENT= "D000002" OR ENVIRONMENT="D000007")) as PPROD_IND count(eval(ENVIRONMENT="Prod" OR ENVIRONMENT="Production")) as PROD_IND by DETECTED_IN_RELEASE SEVERITY | stats sum(PPROD_IND) as TOT_PPROD sum(PROD_IND) as TOT_PROD by DETECTED_IN_RELEASE SEVERITY<BR /> | eval DRE%=round(TOT_PPROD/(TOT_PPROD+TOT_PROD)*100,1)<BR /> |rename DETECTED_IN_RELEASE as Release<BR /> | chart sum(TOT_PPROD) as PPROD sum(TOT_PROD) as PROD over Release by SEVERITY </P> <P>This is the query i am using but I am not able to dispaly DIE% as overlay field and also I need further classiifcation of Release i.e consider there are releases ab,cd,de,ef chart should display the fields in this format</P> <P>PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod<BR /> Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3<BR /> ab cd ef</P> Tue, 29 Sep 2020 17:36:24 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-grouping-ofdata-over-chart/m-p/300374#M90431 ujwalagangakoth 2020-09-29T17:36:24Z