Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Chart by selected fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Chart by selected fields
Hi
I am trying to structure some data from an outside source. In the data I get a lot of fields for each event, I want to work by selected field as below:
Field 1 Count Sparkline(Value)
Field 2 Count Sparkline(Value)
Field 3 Count Sparkline(Value)
Field 4 Count Sparkline(Value)
Field 5 Count Sparkline(Value)
Field 6 Count Sparkline(Value)
So far I haven’t been able to figure out how to pass the field as a variable in a search. Any help?
Vanniar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (for starters)
sourcetype=fields | stats sparkline(avg(Field1)) as "Sparkline(value)", count(Field1) as Count | eval FieldName="Field1" | append [search sourcetype=fields | stats sparkline(avg(Field2)) as "Sparkline(value)", count(Field2) as Count | eval FieldName ="Field2"] | append [search sourcetype=fields | stats sparkline(avg(Field3)) as "Sparkline(value)", count(Field3) as Count | eval FieldName ="Field3"] | append [search sourcetype=fields | stats sparkline(avg(Field4)) as "Sparkline(value)", count(Field4) as Count | eval FieldName ="Field4"] | append [search sourcetype=fields | stats sparkline(avg(Field4)) as "Sparkline(value)", count(Field5) as Count | eval FieldName ="Field5"] | append [search sourcetype=fields | stats sparkline(avg(Field6)) as "Sparkline(value)", count(Field6) as Count | eval FieldName ="Field6"] | table FieldName , "Sparkline(value)", Count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your field names follow some patterns, you can filter based on that or may have fields names in a lookup file and filter with that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually what I was looking for was to pull the fields. What worked for me was this:
...| fieldsummary|table field count min max
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way. by fields I mean the ones inside the event. you can see them when you click in "All Fields" in the left panel.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to create a table with one Field per row. For me what’s important is to learn how to display those fields and the values. The fields are fixed; every event has the same fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you be more specific on the output you want? Its a table or chart? You want different rows for different field? How you are selecting fields, fixed list or dynamic?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
