Splunk Enterprise

Groupby + buckets

yifatcy
Path Finder

Hi,

I want to present the following table:

class:5-12 min12-24 min24+ min
classA122040
classB425654
classC155714

 

i.e For each class, I want to count all the records (id) that fall into each bucket.

This is what I have now:

index="x" queuename=vncisr runtime>300 | fields class id runtime | eval runtime = case(runtime < 720, "5-12 min", runtime < 1440 , "12-24 min", 1==1, "24+ min") | chart count by runtime

And I only get the total count for each bucket without considering the classes.

I hope it was clear.

 

Labels (1)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

please try to change chart to this:

...
| chart count(id) over class by runtime

r. Ismo 

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

please try to change chart to this:

...
| chart count(id) over class by runtime

r. Ismo 

0 Karma

yifatcy
Path Finder

Perfect! thanks

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...