Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Chart over multiple variables

atulitm
Path Finder
‎10-26-2017 07:52 AM

day_receive_time="Wed, Oct 25, 2017" device_name="apple" app="mssql-db" bandwidth_consumption="161"
day_receive_time="Wed, Oct 25, 2017" device_name="apple" app="ldap" bandwidth_consumption="146"
day_receive_time="Wed, Oct 25, 2017" device_name="grape" app="syslog" bandwidth_consumption="69"
day_receive_time="Wed, Oct 25, 2017" device_name="grape" app="syslog" bandwidth_consumption="69"

i would like have data in format
device_name app bandwidth_consumption
apple mssql-db 161
ldap 146
syslog 69
grape syslog 69

Unable to create query for same , Can some please help with building query for same .

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎10-30-2017 08:20 AM

@atulitm, I feel this is duplicate, I have already answered this question for you : https://answers.splunk.com/answers/586137/how-to-use-chart-command-to-get-data-over-3-variab.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎10-30-2017 08:20 AM

@atulitm, I feel this is duplicate, I have already answered this question for you : https://answers.splunk.com/answers/586137/how-to-use-chart-command-to-get-data-over-3-variab.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎10-26-2017 08:53 AM

Give this a try:
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption BY device_name

Here's some guidance on how to use stats in your searches:
http://docs.splunk.com/Documentation/Splunk/7.0.0/Search/Usethestatscommandandfunctions

Reply
Solved! Jump to solution

atulitm
Path Finder
‎10-26-2017 09:48 AM

Actually also i need that data on per day_receive_time variable mention in logs so in other words i will be getting bwconsumption data daily for one device for each app and i want to show that in table per day ... coloum header should be variable
day_receive_time .. unable to create . can you plz help with same

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎10-26-2017 10:48 AM

So perhaps what you need is this:
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by day_receive_time device_name

Reply
Solved! Jump to solution

atulitm
Path Finder
‎10-26-2017 07:16 PM

Thanks , i tried that before but problem is that i need dates to be column header and this query makes them as row .. Also i had tried adding
your base search | stats values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by day_receive_time device_name| transpose header_field=device_name | fields - column
but it doesnt work , i need dates as column header where it shows bandwidth_consumption underneath so it shows per app per day stats , so that in one table we could compare how bandwidth_consumption is increasing/decreasing and also if we can have that in chart .

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎10-27-2017 12:28 AM

@atulitm, I think your current requirement has changed from the original table that you have posted in your question. Please post a sample updated table as per your need, so that community members can assist.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

atulitm
Path Finder
‎10-27-2017 12:43 AM

device_name app bandwidth_consumption
Wed, Oct 25, 2017 Thurs, Oct 26, 2017

apple mssql-db 161 120
ldap 146 132
syslog 69 85
grape syslog 69 80

Wed, Oct 25, 2017 and Thurs, Oct 26, 2017 you see in output are values of variable "day_receive_time" in log
@niketnilay I am looking for something like this which shows bandwidth_consumption of each app per device per day and also a chart out of it . I tried using stats command , i can get output but not in way i want . thnx

0 Karma
Reply
Solved! Jump to solution

atulitm
Path Finder
‎10-27-2017 01:05 AM

One more thing .. this looks like giving me desired results but problem is it creates column for app too per day where i need to see app and then how much bandwidth_consumption per day as shown above .
index | chart values(app) AS app values(bandwidth_consumption) AS bandwidth_consumption by device_name day_receive_time

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...