topic 1 column have mutli in Splunk Search

1 column have mutli

kennethyeung — Sat, 21 Oct 2017 07:59:55 GMT

i have a table record is
date, product, price
20171015, ABC,10
20171015, CDE,9
20171016, ABC,8
20171017, CDE,10

and i want to point a multi line chart to by Date , product
how can i do that?
Thanks

Re: 1 column have mutli

HiroshiSatoh — Sat, 21 Oct 2017 08:15:07 GMT

Try this!

(your search)|chart sum(price) by date,product

Re: 1 column have mutli

kennethyeung — Sat, 21 Oct 2017 10:57:19 GMT

thanks, it works, just want to ask when use chart and when use table
i tried table sum(price) by date, product not work.

Thanks

Re: 1 column have mutli

cmerriman — Sat, 21 Oct 2017 12:53:02 GMT

You can not use stats commands with table you could use |stats sum(price) as price by date product but the products would be in ine column and not in multiple columns, and the chart wouldn’t be right. The trick is if you are going to have a multi-series chart, use chart Or timechart Otherwise, stats will work

Re: 1 column have mutli

Richfez — Sat, 21 Oct 2017 12:56:34 GMT

"Table" and "Chart" have very specific meanings in Splunk.

If you create a table with the table command, it does not do anything fancy - it doesn't sum, count or do "work". Instead, all it does is tell Splunk which fields (that already exist) you'd like to display.

The chart command is a whole different kind of command. It's related to the timechart, stats and other commands. They "transform" the output entirely, summarizing rows, calculating averages, or otherwise taking X number of events and making a smaller set of Y information out of them.

You often use the two sets of commands together.

As a sort of silly example, if you run

(your search)|chart sum(price) by date,product

You will get the fields (columns) in a certain order with the sum of price last. If you wanted, say, the sum of the price to be the first column, you could rearrange those results with 'table', like

(your search)|chart sum(price) by date,product | table sum(price), date, product

There's better ways to do that, but I thought an example that you can already run would be the most useful. Try changing the order of the items in the table command to see what effect they have.

So to put it all together and specifically answer your comment, when you tried to replace the chart with table, the field you wanted to display sum(price no longer existed, because table can't MAKE a field like that, it it only a way to change HOW a field like that may be displayed.

Does that help?

Happy Splunking!
-Rich

Re: 1 column have mutli

Richfez — Sat, 21 Oct 2017 13:00:19 GMT

Also, I believe the Splunk education course "Fundamentals I" is free to take for everyone - You should do that! It's a great course, go at your own pace, takes about a work-day's worth of work, but should really help with some of this stuff!

Just go here to the Splunk Education pages, sign up for the course, and start Splunking! (And no, they don't really spam your email or anything). BTW that link seems pretty specifically for the "most recent" Edu page, so it may change if you are reading this post in 2018 or later. In that case, just go to Splunk.com and click the "Education" link in the top right menu.

Re: 1 column have mutli

kennethyeung — Sun, 22 Oct 2017 07:05:11 GMT

i registered the free course before but didnt finish within 30day, how can i restart the course?