Re: Group by and sum

thedonaldblake · ‎06-28-2020

Hello - I am a Splunk newbie.

datetime	Src_machine_name	Col1	Col3
1/1/2020	Machine1	Value1	Value2
1/2/2020	Machine1	Value1	Value5
1/31/2020	Machine3	Vavleu11	Value22
2/1/2020	Machine1	Value1	Value2
2/2/2020	Machine2	Value1	Value5
2/28/2020	Machine3	Vavleu11	Value22

I want to get sum of all counts of all machines (src_machine_name) for every month and put that in a bar chart with Name of month and count of Src_machine_name in that month.

So in january 2020, total count of Src_machine_name was 3, in Feb It was 3.

This is what I started with.

index="test | stats count by Src_machine_name

Will appreciate any help

bowesmana · ‎06-28-2020

You can do this (note I have uppercased your field names for simplicity with the multikv command.

| makeresults
| eval _raw="DATETIME SRC_MACHINE_NAME COL1 COL3
1/1/2020 Machine1 Value1 Value2
1/2/2020 Machine1 Value1 Value5
1/31/2020 Machine3 Vavleu11 Value22
2/1/2020 Machine1 Value1 Value2
2/2/2020 Machine2 Value1 Value5
2/28/2020 Machine3 Vavleu11 Value22"
| multikv
| eval _time=strptime(DATETIME,"%m/%d/%Y")
| timechart span=1mon count

and that will give you a bar chart with 3 for Jan and 3 for Feb. Your code is from the | eval if you do not have _time or from the timechart if you have _time that represents datetime

However, this is giving you the number of ROWS in each month and is not really any count of machine names. If you want to count rows that have Src_machine_name where some rows do not have the machine name, then change count to

| timechart span=1mon count(SRC_MACHINE_NAME)

or if you wanted the UNIQUE machine names each month then this would work

| timechart span=1mon dc(SRC_MACHINE_NAME)

Hope this helps

Group by and sum

count

stats

timechart

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector