Splunk Search

Grouping events by specific field and generate timechart for both groups?

Sanshan
Observer

There is a complicated requirement for me, the splunk beginner. Hope you can give me some advice.

The splunk version: 9.0.2303.201

Since there are a lot of logs(events) that meet my search requirement, I want to generate a time chart with those logs. 

I want to group those logs by a specific field named "field1":

For events in group A, their "field1" value is unique when compared with all other events;
For events in group B, their "field1" value has been repeated once when compared with other events, which means when I search the value of "field1"(group B),  it will return two events.

Based on this premise,  I want to count the event that happened times of both two groups, and display them in a timeline(time chart), what can I do?

Labels (2)
0 Karma

diogofgm
SplunkTrust
SplunkTrust

You can use the grouping you explained with some splunk commands to accomplish that.

| windbag 
| eval group = if(lang="Euro","groupA","groupB") 
| timechart count by group

 This is just an example with random data that you can try in your environment . You can change your grouping conditions in the if statement to your field1=your unique value.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

meetmshah
Builder

Hello @Sanshan Would you be able to share example with values? Also, an image with the expected chart would be helpful to answer

0 Karma

Sanshan
Observer

Sure, the "field1" has a value of random UUID to mark a single trigger behavior.
But in some cases, it returns two times' logs with the same UUID, so I really need to separate the two situations(A: A unique UUID only appeared in one event; B: In two different events, they have the same UUID).

For the chart:
timechart.jpeg

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...