Splunk Search

How can I edit my stats search to change the output format?

Path Finder

I have a formating question.

When I run this:

index=userdata | eval platform=case(rl_user_agent like "%iPhone%", "Mobile" ,rl_user_agent like "%iPad%", "Mobile" , rl_user_agent like "%Android%", "Mobile" , 1=1, "Full Site") | eval status=case(rl_user_status=="Guest", "Guest", rl_user_status like "%Active%", "Active Sub", 1=1, "Registered") |rex field=rl_path "[/](?<path_root>[^/]*)"  | eval path_root=upper(path_root) | table status path_root platform | stats count by status path_root platform | stats list(platform) AS Platform, list(count) AS count by status path_root

I get

status : path_root : Platform : count
status1   path1      full site   12
                     mobile      10
status1   path2      full site   12
                     mobile      10

but how can I get

status : path_root : full site : mobile
status1  path1        12         10

status1  path2        12         10
Tags (3)
0 Karma


try like this:

...| chart count(eval(Platform="full site")) AS "full site",
count(eval(Platform="mobile ")) AS mobile  by status path_root


...| stats  count(eval(Platform="full site")) AS "full site" count(eval(Platform="mobile ")) AS mobile  by status path_root
0 Karma


Try chart instead of stats

... | chart count over path_root by Platform

Might have to reverse your over/by fields in the chart command; I generally get those reversed.

You will likely have to do an eval to concatenate status and path and then rex to split them out though. There might be a better option presented by someone else as well.

Path Finder

this is getting me much closer

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...