Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Counting by one field and then grouping by month?

peksalli
Engager
‎10-25-2012 05:00 AM

Hello!

This question is probably trivial (I'm a newbie) but I just don't seem to be able to adjust my head to think how this is done. I am trying to count occurrences of each event type per month, having this kind of output: 

month    field1    count
01       x         20
01       y         10
01       z         15
02       x         10
02       y         5
02       z         6

There are only about ten different values for field1, but they may change every month, so the values should come from the index.

So far I only have got to this:
source=mysource earliest=-10mon@mon | convert timeformat="%m" ctime(_time) AS month | cluster field="field1" countfield=count |table month, field1, count

Obviously this doesnt' work, as it clusters & counts over all time, not per month.

I have been thinking of using a subsearch like

source="mysource" earliest=-10mon@mon | stats values(field1)
  • which lists the distinct values, but how can I use this result?
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎10-25-2012 05:03 AM

Just using stats with a by clause should do what you want.

... | stats count by month,field1

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎10-25-2012 05:03 AM

Just using stats with a by clause should do what you want.

... | stats count by month,field1
Reply
Solved! Jump to solution

Ayn
Legend
‎10-25-2012 05:41 AM

No problem. If this answer solved your problem, please mark it as accepted. Thanks.

Reply
Solved! Jump to solution

peksalli
Engager
‎10-25-2012 05:22 AM

Thanks, so it was trivial. All the "stats count by" examples I could found had only one parameter after "by".

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...