Solved: Count by two different fields in one result

humi · ‎07-11-2023

Hello all, i'm sure tje answer exists somewhere but i can't find it...
As you can see, i start with this powerfull tool, and i need help.
I have logs with FIELD1 and FIELD2 which concern the samething (IP ADDRESS).
I need to chart a count of each line of log where FIELD1="A" OR FIELD2="B" in a bargraph by FIELD1 and FIELD2.

So to see count of log by IP Address (which are in two differents fields.
I hope i'm understandable...

I stoped here (that display only count for the field i count by)...

index="XXX" FIELD1="A" OR FIELD2="B" | chart count(eval(FIELD1="A")) AS "AnswerA", count(eval(FIELD2="B")) as "AnswerB" by ???

Many thanks!

gcusello · ‎07-11-2023

Hi @humi,

if you have some events only with field1 and some events only with field2, you could aggregate the values from field1 and field2 in the same field and use it:

index="XXX" (FIELD1=* OR FIELD2=*) 
| eval IP=coalesce(FIELD1, FIELD2)
| chart count BY IP

Ciao.

Giuseppe

View solution in original post

humi · ‎07-11-2023

Thanks Giuseppe !

It's so simple when the solution is given...

gcusello · ‎07-11-2023

Hi @humi,

if you have some events only with field1 and some events only with field2, you could aggregate the values from field1 and field2 in the same field and use it:

index="XXX" (FIELD1=* OR FIELD2=*) 
| eval IP=coalesce(FIELD1, FIELD2)
| chart count BY IP

Ciao.

Giuseppe

Count by two different fields in one result

count

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!