topic Re: Chart and table of occurences of field by another field in Splunk Search

Chart and table of occurences of field by another field

swdowiarz — Mon, 22 Jan 2018 09:17:02 GMT

I would like to have some chart ( bar etc.) and table of logs which contain two information titleID and userID.
I would like to have table and chart of each user and sum of each titleID for him.

I'm using this search, but I'm not sure about it:

... | top "data.titleID" by "data.userID" | table "data.userID" "data.titleID" count

Re: Chart and table of occurences of field by another field

gcusello — Mon, 22 Jan 2018 09:31:48 GMT

Hi swdowiarz,
hi did you already tried with

your_search
| stats sum(titleID) AS titleID BY userID
|  sort -titleID

?
if in addition you like to have only the first 10 top values you can add tho the above search | head 10

Bye.
Giuseppe

Re: Chart and table of occurences of field by another field

swdowiarz — Mon, 22 Jan 2018 09:40:50 GMT

I don't know why but SUM(titleID) does not work for me, I don't know why

Re: Chart and table of occurences of field by another field

mayurr98 — Mon, 22 Jan 2018 09:49:44 GMT

what is your fieldname titleID or data.titleID?

Re: Chart and table of occurences of field by another field

gcusello — Mon, 22 Jan 2018 09:50:15 GMT

Are you sure that titleID is a number?
Byte.
Giuseppe

Re: Chart and table of occurences of field by another field

swdowiarz — Mon, 22 Jan 2018 10:04:44 GMT

oh yes, because my log contains field data which contains titleID and orderID so to get them it's data.titleID and data.orderID

Re: Chart and table of occurences of field by another field

swdowiarz — Mon, 22 Jan 2018 10:08:16 GMT

No it's not a number, sorry that I didn't specify it properly, "data.titleID" is some string and I would like to have stats of how many times each user has used each data.titleID

Re: Chart and table of occurences of field by another field

gcusello — Mon, 22 Jan 2018 10:14:18 GMT

in this case you can use dc("data.titleID") AS "data.titleID"
Bye.
Giuseppe

Re: Chart and table of occurences of field by another field

mayurr98 — Mon, 22 Jan 2018 10:27:21 GMT

According to the comments, I think you want something like this

| stats count by data.userID data.titleID | sort- count

So this query will give you the stats of how many times each data.userID has used each data.titleID.

let me know if this helps!

Re: Chart and table of occurences of field by another field

swdowiarz — Mon, 22 Jan 2018 10:28:43 GMT

I have the following issue:
Search Factory: Unknown search command 'dc'.

Re: Chart and table of occurences of field by another field

swdowiarz — Mon, 22 Jan 2018 10:51:41 GMT

that's what I wanted, can I have some graph of it ? I mean graph which contains user and titleID ? For example graph which shows user and most used titleID and the number how many times he used this titleID ?

Re: Chart and table of occurences of field by another field

mayurr98 — Mon, 22 Jan 2018 11:55:18 GMT

count field gives you that only i.e. how many times he used corresponding titleID.

| chart usenull=f useother=f  count over data.userID by data.titleID where max in top3

And then you can use line chart on the visualization tab. max in top3 means top 3 titleID's
you can specify any number top3,top5,top10,etc.

for more you can refer this doc

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Chart#where_clause