Splunk Search

How can we print results by 2 fields and group by another field

Naaba
New Member

Hi,
I have datas with these fields (this is a sample)

Project : Splunky
Label : Integration
Month : January

Project : Splunky
Label : Preproduction
Month : January

Project : Splunky
Label : Production
Month : April

Project : Mail
Label : Production
Month : February

Project : Share
Label : Integration
Month : March

Project : Share
Label : Production
Month : June

I want to print the results by Project by Month group by label

alt text

Is it possible?

Thanks

0 Karma

woodcock
Esteemed Legend

This sets up the sample data:

| makeresults
| eval raw="Project : Splunky, Label : Integration, Month : January::Project : Splunky, Label : Preproduction, Month : January::Project : Splunky, Label : Production, Month : April::Project : Mail, Label : Production, Month : February::Project : Share, Label : Integration, Month : March::Project : Share, Label : Production, Month : June"
| makemv delim="::" raw
| mvexpand raw
| rename raw AS _raw
| rex "Project\s*:\s*(?<Project>[^,]+),\s*Label\s*:\s*(?<Label>[^,]+),\s*Month\s*:\s*(?<Month>.*)"

This does the work that you need:

| eval _time = strptime(Month . "/1", "%b/%d")
| sort 0 _time
| streamstats dc(_time) AS _serial
| eval Month = case((_serial==1),                   Month,
                    (_serial==2),             " " . Month,
                    (_serial==3),            "  " . Month,
                    (_serial==4),          "   "  . Month,
                    (_serial==5),          "    " . Month,
                    (_serial==6),         "     " . Month,
                    (_serial==7),        "      " . Month,
                    (_serial==8),       "       " . Month,
                    (_serial==9),      "        " . Month,
                    (_serial==10),    "         " . Month,
                    (_serial==11),   "          " . Month,
                    (_serial==12),  "           " . Month,
                    (_serial==13), "            " . Month)
| chart values(Label) OVER Project BY Month
0 Karma

woodcock
Esteemed Legend

Like this:

Your Base Search Here .. | chart count OVER Project BY Month
0 Karma

Naaba
New Member

With this command I don't have the Label in the cells.
I have projets and months but not labels.
How can I add labels in cells?

0 Karma
Get Updates on the Splunk Community!

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple

Wednesday, November 20, 2024  |  10AM PT / 1PM ET Register Now Join us in this session to learn all about ...

Building a Self-Service and Scalable Observability Practice

Thursday, November 14, 2024  |  11AM PT / 2PM ET Register Now Join us in this session and learn how Splunk ...