Splunk Search

How do I use xyseries get the count and the values for each field?

bijodev1
Communicator

Hi Team, 

I have the following result in place with 30min bucket using stats values() and then xyseries 

time            field1                   field2                      field3                   field4

05:30 4,10,11,12,30 1,13,14,9,8,7 5,7,3,8,9,1,55 23,24,17,18,19
06:00 19,10,11,12,30 12,3,14,9,8,7 1,17,3,8,1,34 22,2,25,17,18,19
06:30 20,10,11,12,55 11,13,14,9,18,7 10,7,3,8,9,1,4 23,24,26,1,18,49
07:00 21,10,11,12,44 12,13,17,9,7 6,7,3,9,1,23 23,24,25,17,18,19
07:30 31,10,11,12,50 1,13,14,9,8,7 5,7,3,8,9,11 23,24,25,17,18,19
08:00 1,10,11,12,30,88 12,13,14,9,81 5,7,3,8,9,17 23,24,25,17,18,19
08:30 1,10,11,12,30,99 12,13,14,9,81 5,7,3,8,9,18 23,24,25,17,18,19
09:00 1,11,12,30,23 11,1,14,9,7 10,7,3,8,9,18 23,24,25,17,18,19
09:30 1,10,11,12,300 12,13,4,9,8,7 4,7,3,8,9,1 23,24,25,17,18,19

 

Currently the result shows all the values for each field.
What I am looking here is the top 3 values which has maximum count for each field, not sure how to pull that result.

Request someone to guide.

Labels (2)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Does something like this work for you?

mysearch
| bin _time span=10min
| stats count by _time xyz result
| sort _time xyz -count
| streamstats count as rank global=f by _time xyz
| where rank < 4
| eval result=result."(".count.")"
| stats delim=", " values(result) AS result by _time xyz
| nomv result
| xyseries _time xyz result

View solution in original post

bijodev1
Communicator

@ITWhisperer  Thank you so much, it worked as expected.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Might be easier if you take a step back - how did you generate these values? There might be a way to limit it to the top 3 values before grouping them with values()

0 Karma

bijodev1
Communicator

it was like this 

mysearch | bucket _time span=10min
| stats delim="," values(result) AS result count by _time xyz
| nomv result
| sort -count
| dedup _time xyz
| sort _time
| xyseries _time xyz result

Note : xyz contains these field1 , field2, field3, field4

also is it possible to append with the values - with its count. like for example :

time            field1                   field2                                  field3                                     field4

05:304(100),10(40)1(100),13(40),14(30)5(80),7(60),3(50)23(100),24(80),17(50)

 

The one in brackets shows the count per each value.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does something like this work for you?

mysearch
| bin _time span=10min
| stats count by _time xyz result
| sort _time xyz -count
| streamstats count as rank global=f by _time xyz
| where rank < 4
| eval result=result."(".count.")"
| stats delim=", " values(result) AS result by _time xyz
| nomv result
| xyseries _time xyz result
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...