Solved: Field values

obularajud16 · ‎08-29-2020

Ghj

sourcetype=access_combined | eval action = if(isnull(action) OR action="", "Unknown", action) | timechart span=40h  values(action),count(action)

obularajud16 · ‎08-29-2020

Got the answer with the below

Spoiler

sourcetype=access_combined | eval action = if(isnull(action) OR action="", "unknown", action) | bin span=72h _time | stats count as totals by action, span(=_time,72h) | sort -_time,action

View solution in original post

obularajud16 · ‎08-29-2020

Got the answer with the below

Spoiler

sourcetype=access_combined | eval action = if(isnull(action) OR action="", "unknown", action) | bin span=72h _time | stats count as totals by action, span(=_time,72h) | sort -_time,action

thambisetty · ‎08-29-2020

sourcetype=access_combined 
| eval action = if(isnull(action) OR action="", "Unknown", action) 
| bin _time span=40h 
| chart count over _time by action

————————————
If this helps, give a like below.

to4kawa · ‎08-29-2020

sourcetype=access_combined | eval action = if(isnull(action) OR action="", "Unknown", action) | timechart span=40h count by action

obularajud16 · ‎08-29-2020

As I mentioned, i need data in row format not in column format to group by multiple fields

timechart span=40h count by action, status

isoutamo · ‎08-29-2020

Easiest way is combine those values like:

eval a_s = action . "-".status

| timechart span=40h count by a_s

Otherwise you must start to play with bin + stats/chart/xyseries

r. Ismo

Field values

stats

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation