Solved: Re: Chart and table of occurences of field by anot...

swdowiarz · ‎01-22-2018

Hi

I would like to have some chart ( bar etc.) and table of logs which contain two information titleID and userID.
I would like to have table and chart of each user and sum of each titleID for him.

I'm using this search, but I'm not sure about it:

... | top "data.titleID" by "data.userID" | table "data.userID" "data.titleID" count

mayurr98 · ‎01-22-2018

According to the comments, I think you want something like this

| stats count by data.userID data.titleID | sort- count

So this query will give you the stats of how many times each data.userID has used each data.titleID.

let me know if this helps!

View solution in original post

mayurr98 · ‎01-22-2018

According to the comments, I think you want something like this

| stats count by data.userID data.titleID | sort- count

So this query will give you the stats of how many times each data.userID has used each data.titleID.

let me know if this helps!

swdowiarz · ‎01-22-2018

that's what I wanted, can I have some graph of it ? I mean graph which contains user and titleID ? For example graph which shows user and most used titleID and the number how many times he used this titleID ?

mayurr98 · ‎01-22-2018

count field gives you that only i.e. how many times he used corresponding titleID.

| chart usenull=f useother=f  count over data.userID by data.titleID where max in top3

And then you can use line chart on the visualization tab. max in top3 means top 3 titleID's
you can specify any number top3,top5,top10,etc.

for more you can refer this doc

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Chart#where_clause

mayurr98 · ‎01-22-2018

what is your fieldname titleID or data.titleID?

swdowiarz · ‎01-22-2018

oh yes, because my log contains field data which contains titleID and orderID so to get them it's data.titleID and data.orderID

gcusello · ‎01-22-2018

Hi swdowiarz,
hi did you already tried with

your_search
| stats sum(titleID) AS titleID BY userID
|  sort -titleID

?
if in addition you like to have only the first 10 top values you can add tho the above search | head 10

Bye.
Giuseppe

swdowiarz · ‎01-22-2018

Hi

I don't know why but SUM(titleID) does not work for me, I don't know why

gcusello · ‎01-22-2018

Are you sure that titleID is a number?
Byte.
Giuseppe

swdowiarz · ‎01-22-2018

No it's not a number, sorry that I didn't specify it properly, "data.titleID" is some string and I would like to have stats of how many times each user has used each data.titleID

gcusello · ‎01-22-2018

in this case you can use dc("data.titleID") AS "data.titleID"
Bye.
Giuseppe

swdowiarz · ‎01-22-2018

I have the following issue:
Search Factory: Unknown search command 'dc'.

Chart and table of occurences of field by another field

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!