Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field values

obularajud16
Explorer
‎08-29-2020 02:30 AM
  •  

 

Ghj

sourcetype=access_combined | eval action = if(isnull(action) OR action="", "Unknown", action) | timechart span=40h  values(action),count(action)

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

obularajud16
Explorer
‎08-29-2020 11:50 PM

Got the answer with the below

Spoiler
sourcetype=access_combined | eval action = if(isnull(action) OR action="", "unknown", action) | bin span=72h _time | stats count as totals by action, span(=_time,72h) | sort -_time,action​

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

obularajud16
Explorer
‎08-29-2020 11:50 PM

Got the answer with the below

Spoiler
sourcetype=access_combined | eval action = if(isnull(action) OR action="", "unknown", action) | bin span=72h _time | stats count as totals by action, span(=_time,72h) | sort -_time,action​
0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-29-2020 09:19 AM 
sourcetype=access_combined 
| eval action = if(isnull(action) OR action="", "Unknown", action) 
| bin _time span=40h 
| chart count over _time by action
————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-29-2020 02:39 AM

sourcetype=access_combined | eval action = if(isnull(action) OR action="", "Unknown", action) | timechart span=40h count by action

0 Karma
Reply
Solved! Jump to solution

obularajud16
Explorer
‎08-29-2020 04:27 AM

As I mentioned, i need data in row format not in column format to group by multiple fields

 

timechart span=40h count by action, status

 

 

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-29-2020 05:08 AM

Easiest way is combine those values like:

eval a_s = action . "-".status 

| timechart span=40h count by a_s

 

Otherwise you must start to play with bin + stats/chart/xyseries

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...