Splunk Search

How do I use xyseries get the count and the values for each field?

bijodev1
Communicator

Hi Team, 

I have the following result in place with 30min bucket using stats values() and then xyseries 

time            field1                   field2                      field3                   field4

05:30 4,10,11,12,30 1,13,14,9,8,7 5,7,3,8,9,1,55 23,24,17,18,19
06:00 19,10,11,12,30 12,3,14,9,8,7 1,17,3,8,1,34 22,2,25,17,18,19
06:30 20,10,11,12,55 11,13,14,9,18,7 10,7,3,8,9,1,4 23,24,26,1,18,49
07:00 21,10,11,12,44 12,13,17,9,7 6,7,3,9,1,23 23,24,25,17,18,19
07:30 31,10,11,12,50 1,13,14,9,8,7 5,7,3,8,9,11 23,24,25,17,18,19
08:00 1,10,11,12,30,88 12,13,14,9,81 5,7,3,8,9,17 23,24,25,17,18,19
08:30 1,10,11,12,30,99 12,13,14,9,81 5,7,3,8,9,18 23,24,25,17,18,19
09:00 1,11,12,30,23 11,1,14,9,7 10,7,3,8,9,18 23,24,25,17,18,19
09:30 1,10,11,12,300 12,13,4,9,8,7 4,7,3,8,9,1 23,24,25,17,18,19

 

Currently the result shows all the values for each field.
What I am looking here is the top 3 values which has maximum count for each field, not sure how to pull that result.

Request someone to guide.

Labels (2)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Does something like this work for you?

mysearch
| bin _time span=10min
| stats count by _time xyz result
| sort _time xyz -count
| streamstats count as rank global=f by _time xyz
| where rank < 4
| eval result=result."(".count.")"
| stats delim=", " values(result) AS result by _time xyz
| nomv result
| xyseries _time xyz result

View solution in original post

bijodev1
Communicator

@ITWhisperer  Thank you so much, it worked as expected.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Might be easier if you take a step back - how did you generate these values? There might be a way to limit it to the top 3 values before grouping them with values()

0 Karma

bijodev1
Communicator

it was like this 

mysearch | bucket _time span=10min
| stats delim="," values(result) AS result count by _time xyz
| nomv result
| sort -count
| dedup _time xyz
| sort _time
| xyseries _time xyz result

Note : xyz contains these field1 , field2, field3, field4

also is it possible to append with the values - with its count. like for example :

time            field1                   field2                                  field3                                     field4

05:304(100),10(40)1(100),13(40),14(30)5(80),7(60),3(50)23(100),24(80),17(50)

 

The one in brackets shows the count per each value.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does something like this work for you?

mysearch
| bin _time span=10min
| stats count by _time xyz result
| sort _time xyz -count
| streamstats count as rank global=f by _time xyz
| where rank < 4
| eval result=result."(".count.")"
| stats delim=", " values(result) AS result by _time xyz
| nomv result
| xyseries _time xyz result
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...