Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chart over multiple variables

atulitm
Path Finder
‎10-26-2017 07:52 AM

day_receive_time="Wed, Oct 25, 2017" device_name="apple" app="mssql-db" bandwidth_consumption="161"
day_receive_time="Wed, Oct 25, 2017" device_name="apple" app="ldap" bandwidth_consumption="146"
day_receive_time="Wed, Oct 25, 2017" device_name="grape" app="syslog" bandwidth_consumption="69"
day_receive_time="Wed, Oct 25, 2017" device_name="grape" app="syslog" bandwidth_consumption="69"

i would like have data in format
device_name app bandwidth_consumption
apple mssql-db 161
ldap 146
syslog 69
grape syslog 69

Unable to create query for same , Can some please help with building query for same .

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎10-30-2017 08:20 AM

@atulitm, I feel this is duplicate, I have already answered this question for you : https://answers.splunk.com/answers/586137/how-to-use-chart-command-to-get-data-over-3-variab.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎10-30-2017 08:20 AM

@atulitm, I feel this is duplicate, I have already answered this question for you : https://answers.splunk.com/answers/586137/how-to-use-chart-command-to-get-data-over-3-variab.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎10-26-2017 08:53 AM

Give this a try:
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption BY device_name

Here's some guidance on how to use stats in your searches:
http://docs.splunk.com/Documentation/Splunk/7.0.0/Search/Usethestatscommandandfunctions

Reply
Solved! Jump to solution

atulitm
Path Finder
‎10-26-2017 09:48 AM

Actually also i need that data on per day_receive_time variable mention in logs so in other words i will be getting bwconsumption data daily for one device for each app and i want to show that in table per day ... coloum header should be variable
day_receive_time .. unable to create . can you plz help with same

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎10-26-2017 10:48 AM

So perhaps what you need is this:
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by day_receive_time device_name

Reply
Solved! Jump to solution

atulitm
Path Finder
‎10-26-2017 07:16 PM

Thanks , i tried that before but problem is that i need dates to be column header and this query makes them as row .. Also i had tried adding
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by day_receive_time device_name| transpose header_field=device_name | fields - column
but it doesnt work , i need dates as column header where it shows bandwidth_consumption underneath so it shows per app per day stats , so that in one table we could compare how bandwidth_consumption is increasing/decreasing and also if we can have that in chart .

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎10-27-2017 12:28 AM

@atulitm, I think your current requirement has changed from the original table that you have posted in your question. Please post a sample updated table as per your need, so that community members can assist.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

atulitm
Path Finder
‎10-27-2017 12:43 AM

device_name app bandwidth_consumption
Wed, Oct 25, 2017 Thurs, Oct 26, 2017

apple mssql-db 161 120
ldap 146 132
syslog 69 85
grape syslog 69 80

Wed, Oct 25, 2017 and Thurs, Oct 26, 2017 you see in output are values of variable "day_receive_time" in log
@niketnilay I am looking for something like this which shows bandwidth_consumption of each app per device per day and also a chart out of it . I tried using stats command , i can get output but not in way i want . thnx

0 Karma
Reply
Solved! Jump to solution

atulitm
Path Finder
‎10-27-2017 01:05 AM

One more thing .. this looks like giving me desired results but problem is it creates column for app too per day where i need to see app and then how much bandwidth_consumption per day as shown above .
index | chart values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by device_name day_receive_time

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top