Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I use xyseries get the count and the values for each field?

bijodev1
Communicator
‎03-11-2022 03:40 AM

Hi Team, 

I have the following result in place with 30min bucket using stats values() and then xyseries 

time            field1                   field2                      field3                   field4

05:30 4,10,11,12,30 1,13,14,9,8,7 5,7,3,8,9,1,55 23,24,17,18,19
06:00 19,10,11,12,30 12,3,14,9,8,7 1,17,3,8,1,34 22,2,25,17,18,19
06:30 20,10,11,12,55 11,13,14,9,18,7 10,7,3,8,9,1,4 23,24,26,1,18,49
07:00 21,10,11,12,44 12,13,17,9,7 6,7,3,9,1,23 23,24,25,17,18,19
07:30 31,10,11,12,50 1,13,14,9,8,7 5,7,3,8,9,11 23,24,25,17,18,19
08:00 1,10,11,12,30,88 12,13,14,9,81 5,7,3,8,9,17 23,24,25,17,18,19
08:30 1,10,11,12,30,99 12,13,14,9,81 5,7,3,8,9,18 23,24,25,17,18,19
09:00 1,11,12,30,23 11,1,14,9,7 10,7,3,8,9,18 23,24,25,17,18,19
09:30 1,10,11,12,300 12,13,4,9,8,7 4,7,3,8,9,1 23,24,25,17,18,19

 

Currently the result shows all the values for each field.
What I am looking here is the top 3 values which has maximum count for each field, not sure how to pull that result.

Request someone to guide.

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2022 04:54 AM

Does something like this work for you?

mysearch
| bin _time span=10min
| stats count by _time xyz result
| sort _time xyz -count
| streamstats count as rank global=f by _time xyz
| where rank < 4
| eval result=result."(".count.")"
| stats delim=", " values(result) AS result by _time xyz
| nomv result
| xyseries _time xyz result

View solution in original post

Reply
Solved! Jump to solution

bijodev1
Communicator
‎03-11-2022 05:47 AM

@ITWhisperer  Thank you so much, it worked as expected.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2022 03:52 AM

Might be easier if you take a step back - how did you generate these values? There might be a way to limit it to the top 3 values before grouping them with values()

0 Karma
Reply
Solved! Jump to solution

bijodev1
Communicator
‎03-11-2022 04:22 AM

it was like this 

mysearch | bucket _time span=10min
| stats delim="," values(result) AS result count by _time xyz
| nomv result
| sort -count
| dedup _time xyz
| sort _time
| xyseries _time xyz result

Note : xyz contains these field1 , field2, field3, field4

also is it possible to append with the values - with its count. like for example :

time            field1                   field2                                  field3                                     field4

05:304(100),10(40)1(100),13(40),14(30)5(80),7(60),3(50)23(100),24(80),17(50)

 

The one in brackets shows the count per each value.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2022 04:54 AM

Does something like this work for you?

mysearch
| bin _time span=10min
| stats count by _time xyz result
| sort _time xyz -count
| streamstats count as rank global=f by _time xyz
| where rank < 4
| eval result=result."(".count.")"
| stats delim=", " values(result) AS result by _time xyz
| nomv result
| xyseries _time xyz result
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...