Deployment Architecture

Counting by one field and then grouping by month?

peksalli
Engager

Hello!

This question is probably trivial (I'm a newbie) but I just don't seem to be able to adjust my head to think how this is done. I am trying to count occurrences of each event type per month, having this kind of output:

month    field1    count
01       x         20
01       y         10
01       z         15
02       x         10
02       y         5
02       z         6

There are only about ten different values for field1, but they may change every month, so the values should come from the index.

So far I only have got to this:
source=mysource earliest=-10mon@mon | convert timeformat="%m" ctime(_time) AS month | cluster field="field1" countfield=count |table month, field1, count

Obviously this doesnt' work, as it clusters & counts over all time, not per month.

I have been thinking of using a subsearch like

source="mysource" earliest=-10mon@mon | stats values(field1)
  • which lists the distinct values, but how can I use this result?
Tags (2)
1 Solution

Ayn
Legend

Just using stats with a by clause should do what you want.

... | stats count by month,field1

View solution in original post

Ayn
Legend

Just using stats with a by clause should do what you want.

... | stats count by month,field1

Ayn
Legend

No problem. If this answer solved your problem, please mark it as accepted. Thanks.

peksalli
Engager

Thanks, so it was trivial. All the "stats count by" examples I could found had only one parameter after "by".

0 Karma
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...