Splunk Search

Chart and table of occurences of field by another field

swdowiarz
Path Finder

Hi

I would like to have some chart ( bar etc.) and table of logs which contain two information titleID and userID.
I would like to have table and chart of each user and sum of each titleID for him.

I'm using this search, but I'm not sure about it:

... | top "data.titleID" by "data.userID" | table "data.userID" "data.titleID" count

0 Karma
1 Solution

mayurr98
Super Champion

According to the comments, I think you want something like this

| stats count by data.userID data.titleID | sort- count

So this query will give you the stats of how many times each data.userID has used each data.titleID.

let me know if this helps!

View solution in original post

0 Karma

mayurr98
Super Champion

According to the comments, I think you want something like this

| stats count by data.userID data.titleID | sort- count

So this query will give you the stats of how many times each data.userID has used each data.titleID.

let me know if this helps!

0 Karma

swdowiarz
Path Finder

that's what I wanted, can I have some graph of it ? I mean graph which contains user and titleID ? For example graph which shows user and most used titleID and the number how many times he used this titleID ?

0 Karma

mayurr98
Super Champion

count field gives you that only i.e. how many times he used corresponding titleID.

| chart usenull=f useother=f  count over data.userID by data.titleID where max in top3

And then you can use line chart on the visualization tab. max in top3 means top 3 titleID's
you can specify any number top3,top5,top10,etc.

for more you can refer this doc

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Chart#where_clause

0 Karma

mayurr98
Super Champion

what is your fieldname titleID or data.titleID?

0 Karma

swdowiarz
Path Finder

oh yes, because my log contains field data which contains titleID and orderID so to get them it's data.titleID and data.orderID

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi swdowiarz,
hi did you already tried with

your_search
| stats sum(titleID) AS titleID BY userID
|  sort -titleID

?
if in addition you like to have only the first 10 top values you can add tho the above search | head 10

Bye.
Giuseppe

0 Karma

swdowiarz
Path Finder

Hi

I don't know why but SUM(titleID) does not work for me, I don't know why

0 Karma

gcusello
SplunkTrust
SplunkTrust

Are you sure that titleID is a number?
Byte.
Giuseppe

0 Karma

swdowiarz
Path Finder

No it's not a number, sorry that I didn't specify it properly, "data.titleID" is some string and I would like to have stats of how many times each user has used each data.titleID

0 Karma

gcusello
SplunkTrust
SplunkTrust

in this case you can use dc("data.titleID") AS "data.titleID"
Bye.
Giuseppe

0 Karma

swdowiarz
Path Finder

I have the following issue:
Search Factory: Unknown search command 'dc'.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...