Archive
Highlighted

Not able to extract the data in proper format

Motivator

Hello

I am trying to create a search which lists the count based on the priority, but having issues with it. The search which I am using is

sourcetype="incident"  record.customer!="AUTOMATION_INT" | dedup record.incidentId |  stats count by  record.service, record.priority | sort -count

The output is

record.service record.priority count
1 TEST CENTER 4 7
2 ACCESS MANAGEMENT 3 3
3 (UBER) SERVICE 4 3
4 TEST CENTER 1 2
5 WINDOWS SERVER APPLICATIONS 4 1

I am trying to get the data listed as in this format

 record.service        1   2   3   4      count

1,2,3,4 are the record.priority options. Any idea on how to modify that? Can I change the way the data is being input into the table?

Tags (1)
0 Karma
Highlighted

Re: Not able to extract the data in proper format

SplunkTrust
SplunkTrust

I'm not sure if this is what you are looking for, but you could use the contingency keyword

sourcetype="incident" record.customer!="AUTOMATION_INT"|dedup record.incidentId| contingency record.service, record.priority

It should output something like:

record.service 1 2 3 4 TOTAL
TEST CENTER count count count count total_count
ACCESS MANAGEMENT count count count count total_count

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Contingency

View solution in original post

Highlighted

Re: Not able to extract the data in proper format

Motivator

Thanks a lot for that. It solved the issue.

0 Karma
Highlighted

Re: Not able to extract the data in proper format

Champion

@theouhuios, Could you possibly post a sample of your events, _raw (scrubbed of course).

0 Karma