Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count by two different fields in one result

humi
Explorer
‎07-11-2023 06:12 AM

Hello all, i'm sure tje answer exists somewhere but i can't find it...
As you can see, i start with this powerfull tool, and i need help.
I have logs with FIELD1 and FIELD2 which concern the samething (IP ADDRESS).
I need to chart a count of each line of log where FIELD1="A" OR FIELD2="B" in a bargraph by FIELD1 and FIELD2.

So to see count of log by IP Address (which are in two differents fields.
I hope i'm understandable...

I stoped here (that display only count for the field i count by)...

index="XXX" FIELD1="A" OR FIELD2="B" | chart count(eval(FIELD1="A")) AS "AnswerA", count(eval(FIELD2="B")) as "AnswerB" by ???

 

Many thanks!

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-11-2023 06:19 AM

Hi @humi,

if you have some events only with field1 and some events only with field2, you could aggregate the values from field1 and field2 in the same field and use it:

index="XXX" (FIELD1=* OR FIELD2=*) 
| eval IP=coalesce(FIELD1, FIELD2)
| chart count BY IP

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

humi
Explorer
‎07-11-2023 07:38 AM

Thanks Giuseppe ! 

It's so simple when the solution is given...

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-11-2023 06:19 AM

Hi @humi,

if you have some events only with field1 and some events only with field2, you could aggregate the values from field1 and field2 in the same field and use it:

index="XXX" (FIELD1=* OR FIELD2=*) 
| eval IP=coalesce(FIELD1, FIELD2)
| chart count BY IP

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...