Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chart over time by multiple fields

YuliyaVassilyev
Explorer
a week ago

Hi there! I want to create a scorecard by Manager and Region counting my Orders over Month. So the chart would look something like: 

YuliyaVassilyev_0-1734017277904.png

I have all the fields: Region, Director, Month and Order_Number to make a count. Please let me know if you have an efficient way to do this in SPL. Thank you very much!

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
a week ago

Hi @YuliyaVassilyev ,

at first Splunk isn't Excel!

anyway you could try something like this:

<your_search>
| eval col=Region."|".Director
| bin span=1mon _time
| chart count OVER col BY _time
| rex field=col "^(?<Region>[^\|]+)\|(?<Director>.*)"
| fields - col
| table Region Director *
| addcoltotals
| addtotals

 then to add partial totals.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

YuliyaVassilyev
Explorer
a week ago

@gcusello that worked great, thank you. Do you also happen to know the best way to add the totals for each carrier like on line 5 and 9 on my example chart? Like appendpipe?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
a week ago

Hi @YuliyaVassilyev ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
a week ago

Hi @YuliyaVassilyev ,

at first Splunk isn't Excel!

anyway you could try something like this:

<your_search>
| eval col=Region."|".Director
| bin span=1mon _time
| chart count OVER col BY _time
| rex field=col "^(?<Region>[^\|]+)\|(?<Director>.*)"
| fields - col
| table Region Director *
| addcoltotals
| addtotals

 then to add partial totals.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...