Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I edit my search to chart relationships between values for a certain field in my data?

jlkokko
Path Finder
‎05-13-2016 02:28 PM

I have a simple search parsing project activity logs to pull a list of projects and people working on those projects:

index="main" | dedup Author Proj_repo | stats list(Proj_repo) AS Project by Author

This successfully returns a list of Authors and list of their projects. What kind of function(s) could I use to chart the relationships between authors? Something showing the Authors and how they're linked to the other Authors across projects.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-15-2016 06:43 AM

Here are some:

index="main" | rename Proj_repo AS Project
| eventstats count AS updates BY Author Project
| eval updatesThisAuthor  = Project . ":" . updates
| eval updatesThisProject = Author  . ":" . updates
| multireport
   [ stats values(Project) dc(Project) values(updatesThisAuthor)  BY Author ]
   [ stats values(Author)  dc(Author)  values(updatesThisProject) BY Project ]
Reply

jlkokko
Path Finder
‎05-16-2016 05:53 AM

Ty for the pointer - One step forward 🙂

Here's a sample of the output columns I get:

Author   Project   dc(Author)   dc(Project)   values(Author)   values(Project)

I get values under Author, dc(Project) and values(Project). All other columns are empty.

0 Karma
Reply

jlkokko
Path Finder
‎05-16-2016 07:06 AM

just noticed if I switch the stats func under mutli report I can get a value for dc(Author) so that gives me an additional value needed...

0 Karma
Reply

woodcock
Esteemed Legend
‎05-19-2016 11:00 AM

I had a typo and used count instead of updates. I edited the original answer to fix. Try it now.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...