Splunk Enterprise

Groupby + buckets

yifatcy
Path Finder

Hi,

I want to present the following table:

class:5-12 min12-24 min24+ min
classA122040
classB425654
classC155714

 

i.e For each class, I want to count all the records (id) that fall into each bucket.

This is what I have now:

index="x" queuename=vncisr runtime>300 | fields class id runtime | eval runtime = case(runtime < 720, "5-12 min", runtime < 1440 , "12-24 min", 1==1, "24+ min") | chart count by runtime

And I only get the total count for each bucket without considering the classes.

I hope it was clear.

 

Labels (1)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

please try to change chart to this:

...
| chart count(id) over class by runtime

r. Ismo 

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

please try to change chart to this:

...
| chart count(id) over class by runtime

r. Ismo 

0 Karma

yifatcy
Path Finder

Perfect! thanks

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...