Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create Table Group Results

caviman2201
Path Finder
‎07-21-2014 11:08 AM

I have the following data:


















































































DateTime GroupName Count
2014-07-14T12:00:00 Group1 15
2014-07-14T12:00:00 Group2 17
2014-07-14T12:00:00 Group3 19
2014-07-15T12:00:00 Group1 18
2014-07-15T12:00:00 Group2 20
2014-07-15T12:00:00 Group3 25
2014-07-16T12:00:00 Group1 19
2014-07-16T12:00:00 Group2 20
2014-07-16T12:00:00 Group3 25
2014-07-17T12:00:00 Group1 22
2014-07-17T12:00:00 Group2 25
2014-07-17T12:00:00 Group3 30
2014-07-18T12:00:00 Group1 25
2014-07-18T12:00:00 Group2 32
2014-07-18T12:00:00 Group3 35



What I want is to have Splunk display it like so:

Group Monday Tuesday Wednesday Thursday Friday
Group1
 15 18 19 22 25
Group2 17 20 20 25 32
Group3 19 25 25 30 35



This will only ever display 1 week's worth of data, so the width of the table isn't a concern. Thanks in advance for any assistance!

So far, I have this to pull the weekday out.

<search> | eval WeekDay=upper(substr(date_wday,1,1)).substr(date_wday,2)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-21-2014 11:15 AM

I would do it this way

yoursearchhere
| eval Weekday = strftime(_time,"%a")
| chart first(Count) as Count by GroupName Weekday
| rename GroupName as Group

Assuming that there is only one event for each group and each day of week (that's why first works here).

Oops, just realized that this is likely to sort by the name of the day of the week, rather than what you want. So try this:

yoursearchhere
| eval Weekday = strftime(_time,"%w %a")
| chart first(Count) as Count by GroupName Weekday
| rename GroupName as Group
| rename "0 Sun" as "Sun", "1 Mon" as "Mon", "2 Tue" as "Tue", "3 Wed" as "Wed", "4 Thu" as "Thu", "5 Fri" as "Fri", "6 Sat" as "Sat"

View solution in original post

Reply
Solved! Jump to solution

strive
Influencer
‎07-21-2014 11:27 AM

Try this

Assuming that there will be more than one Count for a day and group combination

<search> | eval WeekDay=upper(substr(date_wday,1,1)).substr(date_wday,2) | chart sum(Count) as Count by GroupName WeekDay
0 Karma
Reply
Solved! Jump to solution

strive
Influencer
‎07-21-2014 11:30 AM

You also need rename option as it is in lguinn's answer

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-21-2014 11:15 AM

I would do it this way

yoursearchhere
| eval Weekday = strftime(_time,"%a")
| chart first(Count) as Count by GroupName Weekday
| rename GroupName as Group

Assuming that there is only one event for each group and each day of week (that's why first works here).

Oops, just realized that this is likely to sort by the name of the day of the week, rather than what you want. So try this:

yoursearchhere
| eval Weekday = strftime(_time,"%w %a")
| chart first(Count) as Count by GroupName Weekday
| rename GroupName as Group
| rename "0 Sun" as "Sun", "1 Mon" as "Mon", "2 Tue" as "Tue", "3 Wed" as "Wed", "4 Thu" as "Thu", "5 Fri" as "Fri", "6 Sat" as "Sat"
Reply
Get Updates on the Splunk Community!

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...