Splunk Search

Grouping and counting by field

Engager

Hey, I'm looking for a little advice.

I'm trying to produce a report showing how many events of a particular type (where the type is defined by a field) have happened grouped by a given time span... say 10 minutes.

So ideally it would look something like this

Time                |  HHProjection | Importer |
------------------------------------------------
2014-07-30T14:04:00 |           200 |      230 |

The closest I've got is something along these lines

* | where Stage = "HHProjection" or Stage="Importer" | eval formattedTime = strftime(_time, "%FT%H:%M:00") | stats count by Stage, formattedTime

But as you can tell this produces a line per Stage rather than a column per Stage.

As a complete beginner how would I go about writing this query?

Thanks in advance

Tags (1)
1 Solution

Revered Legend

Try this

Stage="HHProjection" or Stage="Importer" | timechart span=10m count by Stage

View solution in original post

Revered Legend

Try this

Stage="HHProjection" or Stage="Importer" | timechart span=10m count by Stage

View solution in original post

Engager

perfect, thanks!

0 Karma