Re: How to group by multiple fields?

Leo_Pegasus · ‎03-07-2022

I have following splunk fields

Date,Group,State

State can have following values InProgress|Declined|Submitted

I like to get following result

Date.          Group. TotalInProgress.  TotalDeclined TotalSubmitted. Total
-----------------------------------------------------------------------------     
12-12-2021       A.     13.              10               15           38

I couldn't figured it out. Any help would be appreciated

ITWhisperer · ‎03-07-2022

You need to concatenate the fields, do the stats (well chart to be precise), then split the concatenated field

| makeresults count=100
| eval date=strftime(relative_time(now(),"-".(random()%10)."d@d"),"%F")
| eval group=mvindex(split("ABC",""),random()%3)
| eval state=mvindex(split("InProgress|Declined|Submitted","|"),random()%3)



| eval dategroup=date."|".group
| chart count by dategroup state
| addtotals
| eval date=mvindex(split(dategroup,"|"),0)
| eval group=mvindex(split(dategroup,"|"),1)
| fields - dategroup
| table date group * Total

bowesmana · ‎03-07-2022

Edited: Bad first response. You can do this with two stats

your_search
| stats count by Date Group State
| eval "Total{State}"=count
| fields - State count
| stats values(*) as * by Date Group
| addtotals

How to group by multiple fields?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...