Solved: Stats for Values and count - Dashboard

rangarbus · ‎07-30-2021

Below are the events:

{
	"kubernetes" : {
	"pod_name" : "p1"
	},
	traceId: "t-1"
}

{
	"kubernetes" : {
	"pod_name" : "p1"
	},
	traceId: "t-2"
}

{
	"kubernetes" : {
	"pod_name" : "p2"
	},
	traceId: "t-4"
}

{
	"kubernetes" : {
	"pod_name" : "p3"
	},
	traceId: "t-5"
}

I am looking for a dashboard with 2 panels.

1. Showing the unique # of pods
2. Table with Pod Name, # of Number of unique traces

For the above event, panels will be

1. Showing the unique # of pods = 3

2. Table with Pod Name, # of Number of unique traces

   ----------------------------------
   | POD NAME   |  # of Traces      |
   ----------------------------------
   | p1         |  2                |
   ----------------------------------
   | p2         |  1                |
   ----------------------------------
   | p3         |  1                |
   ----------------------------------

ITWhisperer · ‎07-30-2021

Try something like this

| spath path=kubernetes.pod_name output=pod_name
| spath path=traceId
| stats count by pod_name traceId
| stats count as number_of_traces by pod_name

View solution in original post

ITWhisperer · ‎07-30-2021

Try something like this

| spath path=kubernetes.pod_name output=pod_name
| spath path=traceId
| stats count by pod_name traceId
| stats count as number_of_traces by pod_name

Stats for Values and count - Dashboard

panel

single value

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?