Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Create Table Group Results

caviman2201
Path Finder
‎07-21-2014 11:08 AM

I have the following data:


















































































DateTime GroupName Count
2014-07-14T12:00:00 Group1 15
2014-07-14T12:00:00 Group2 17
2014-07-14T12:00:00 Group3 19
2014-07-15T12:00:00 Group1 18
2014-07-15T12:00:00 Group2 20
2014-07-15T12:00:00 Group3 25
2014-07-16T12:00:00 Group1 19
2014-07-16T12:00:00 Group2 20
2014-07-16T12:00:00 Group3 25
2014-07-17T12:00:00 Group1 22
2014-07-17T12:00:00 Group2 25
2014-07-17T12:00:00 Group3 30
2014-07-18T12:00:00 Group1 25
2014-07-18T12:00:00 Group2 32
2014-07-18T12:00:00 Group3 35



What I want is to have Splunk display it like so:

Group Monday Tuesday Wednesday Thursday Friday
Group1
 15 18 19 22 25
Group2 17 20 20 25 32
Group3 19 25 25 30 35



This will only ever display 1 week's worth of data, so the width of the table isn't a concern. Thanks in advance for any assistance!

So far, I have this to pull the weekday out.

<search> | eval WeekDay=upper(substr(date_wday,1,1)).substr(date_wday,2)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-21-2014 11:15 AM

I would do it this way

yoursearchhere
| eval Weekday = strftime(_time,"%a")
| chart first(Count) as Count by GroupName Weekday
| rename GroupName as Group

Assuming that there is only one event for each group and each day of week (that's why first works here).

Oops, just realized that this is likely to sort by the name of the day of the week, rather than what you want. So try this:

yoursearchhere
| eval Weekday = strftime(_time,"%w %a")
| chart first(Count) as Count by GroupName Weekday
| rename GroupName as Group
| rename "0 Sun" as "Sun", "1 Mon" as "Mon", "2 Tue" as "Tue", "3 Wed" as "Wed", "4 Thu" as "Thu", "5 Fri" as "Fri", "6 Sat" as "Sat"

View solution in original post

Reply
Solved! Jump to solution

strive
Influencer
‎07-21-2014 11:27 AM

Try this

Assuming that there will be more than one Count for a day and group combination

<search> | eval WeekDay=upper(substr(date_wday,1,1)).substr(date_wday,2) | chart sum(Count) as Count by GroupName WeekDay
0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-21-2014 11:30 AM

You also need rename option as it is in lguinn's answer

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-21-2014 11:15 AM

I would do it this way

yoursearchhere
| eval Weekday = strftime(_time,"%a")
| chart first(Count) as Count by GroupName Weekday
| rename GroupName as Group

Assuming that there is only one event for each group and each day of week (that's why first works here).

Oops, just realized that this is likely to sort by the name of the day of the week, rather than what you want. So try this:

yoursearchhere
| eval Weekday = strftime(_time,"%w %a")
| chart first(Count) as Count by GroupName Weekday
| rename GroupName as Group
| rename "0 Sun" as "Sun", "1 Mon" as "Mon", "2 Tue" as "Tue", "3 Wed" as "Wed", "4 Thu" as "Thu", "5 Fri" as "Fri", "6 Sat" as "Sat"
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...