Splunk Search

How do I use xyseries get the count and the values for each field?

bijodev1
Communicator

Hi Team, 

I have the following result in place with 30min bucket using stats values() and then xyseries 

time            field1                   field2                      field3                   field4

05:30 4,10,11,12,30 1,13,14,9,8,7 5,7,3,8,9,1,55 23,24,17,18,19
06:00 19,10,11,12,30 12,3,14,9,8,7 1,17,3,8,1,34 22,2,25,17,18,19
06:30 20,10,11,12,55 11,13,14,9,18,7 10,7,3,8,9,1,4 23,24,26,1,18,49
07:00 21,10,11,12,44 12,13,17,9,7 6,7,3,9,1,23 23,24,25,17,18,19
07:30 31,10,11,12,50 1,13,14,9,8,7 5,7,3,8,9,11 23,24,25,17,18,19
08:00 1,10,11,12,30,88 12,13,14,9,81 5,7,3,8,9,17 23,24,25,17,18,19
08:30 1,10,11,12,30,99 12,13,14,9,81 5,7,3,8,9,18 23,24,25,17,18,19
09:00 1,11,12,30,23 11,1,14,9,7 10,7,3,8,9,18 23,24,25,17,18,19
09:30 1,10,11,12,300 12,13,4,9,8,7 4,7,3,8,9,1 23,24,25,17,18,19

 

Currently the result shows all the values for each field.
What I am looking here is the top 3 values which has maximum count for each field, not sure how to pull that result.

Request someone to guide.

Labels (2)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Does something like this work for you?

mysearch
| bin _time span=10min
| stats count by _time xyz result
| sort _time xyz -count
| streamstats count as rank global=f by _time xyz
| where rank < 4
| eval result=result."(".count.")"
| stats delim=", " values(result) AS result by _time xyz
| nomv result
| xyseries _time xyz result

View solution in original post

bijodev1
Communicator

@ITWhisperer  Thank you so much, it worked as expected.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Might be easier if you take a step back - how did you generate these values? There might be a way to limit it to the top 3 values before grouping them with values()

0 Karma

bijodev1
Communicator

it was like this 

mysearch | bucket _time span=10min
| stats delim="," values(result) AS result count by _time xyz
| nomv result
| sort -count
| dedup _time xyz
| sort _time
| xyseries _time xyz result

Note : xyz contains these field1 , field2, field3, field4

also is it possible to append with the values - with its count. like for example :

time            field1                   field2                                  field3                                     field4

05:304(100),10(40)1(100),13(40),14(30)5(80),7(60),3(50)23(100),24(80),17(50)

 

The one in brackets shows the count per each value.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does something like this work for you?

mysearch
| bin _time span=10min
| stats count by _time xyz result
| sort _time xyz -count
| streamstats count as rank global=f by _time xyz
| where rank < 4
| eval result=result."(".count.")"
| stats delim=", " values(result) AS result by _time xyz
| nomv result
| xyseries _time xyz result
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...