topic Chart over multiple variables in Splunk Search

Chart over multiple variables

atulitm — Tue, 29 Sep 2020 16:29:22 GMT

day_receive_time="Wed, Oct 25, 2017" device_name="apple" app="mssql-db" bandwidth_consumption="161"
day_receive_time="Wed, Oct 25, 2017" device_name="apple" app="ldap" bandwidth_consumption="146"
day_receive_time="Wed, Oct 25, 2017" device_name="grape" app="syslog" bandwidth_consumption="69"
day_receive_time="Wed, Oct 25, 2017" device_name="grape" app="syslog" bandwidth_consumption="69"

i would like have data in format
device_name app bandwidth_consumption
apple mssql-db 161
ldap 146
syslog 69
grape syslog 69

Unable to create query for same , Can some please help with building query for same .

Re: Chart over multiple variables

elliotproebstel — Thu, 26 Oct 2017 15:53:22 GMT

Give this a try:
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption BY device_name

Here's some guidance on how to use stats in your searches:
http://docs.splunk.com/Documentation/Splunk/7.0.0/Search/Usethestatscommandandfunctions

Re: Chart over multiple variables

atulitm — Tue, 29 Sep 2020 16:29:27 GMT

Actually also i need that data on per day_receive_time variable mention in logs so in other words i will be getting bwconsumption data daily for one device for each app and i want to show that in table per day ... coloum header should be variable
day_receive_time .. unable to create . can you plz help with same

Re: Chart over multiple variables

elliotproebstel — Thu, 26 Oct 2017 17:48:23 GMT

So perhaps what you need is this:
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by day_receive_time device_name

Re: Chart over multiple variables

atulitm — Tue, 29 Sep 2020 16:29:46 GMT

Thanks , i tried that before but problem is that i need dates to be column header and this query makes them as row .. Also i had tried adding
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by day_receive_time device_name| transpose header_field=device_name | fields - column
but it doesnt work , i need dates as column header where it shows bandwidth_consumption underneath so it shows per app per day stats , so that in one table we could compare how bandwidth_consumption is increasing/decreasing and also if we can have that in chart .

Re: Chart over multiple variables

niketn — Fri, 27 Oct 2017 07:28:50 GMT

@atulitm, I think your current requirement has changed from the original table that you have posted in your question. Please post a sample updated table as per your need, so that community members can assist.

Re: Chart over multiple variables

atulitm — Tue, 29 Sep 2020 16:25:59 GMT

device_name app bandwidth_consumption
Wed, Oct 25, 2017 Thurs, Oct 26, 2017

apple mssql-db 161 120
ldap 146 132
syslog 69 85
grape syslog 69 80

Wed, Oct 25, 2017 and Thurs, Oct 26, 2017 you see in output are values of variable "day_receive_time" in log
@niketnilay I am looking for something like this which shows bandwidth_consumption of each app per device per day and also a chart out of it . I tried using stats command , i can get output but not in way i want . thnx

Re: Chart over multiple variables

atulitm — Tue, 29 Sep 2020 16:26:02 GMT

One more thing .. this looks like giving me desired results but problem is it creates column for app too per day where i need to see app and then how much bandwidth_consumption per day as shown above .
index | chart values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by device_name day_receive_time

Re: Chart over multiple variables

niketn — Mon, 30 Oct 2017 15:20:03 GMT

@atulitm, I feel this is duplicate, I have already answered this question for you : https://answers.splunk.com/answers/586137/how-to-use-chart-command-to-get-data-over-3-variab.html