Solved: Re: How do you Timechart by multiple fields?

Esperteyu · ‎10-08-2018

Hi,

I'm struggling with the below query "presentable" in a dashboard. Initially, my idea was to have time on the x-axis, and the count of events on the y-axis, and columns for each scheme stacking the countries (if that makes sense, I thought could be a viable visualization) but can't make it work although the search gives the correct values

index="my_index" base_search 
| rex field=_raw "\\\\\"country\\\\\":\\\\\"(?<country>\w+)\\\\\"" 
| rex field=_raw "\\\\\"scheme\\\\\":\\\\\"(?<scheme>\w+)\\\\\"" 
| stats count by country, scheme

Thanks

woodcock · ‎10-08-2018

You have to create an aggregate field like this:

index="my_index" base_search 
| rex "\\\\\"country\\\\\":\\\\\"(?<country>\w+)\\\\\"" 
| rex "\\\\\"scheme\\\\\":\\\\\"(?<scheme>\w+)\\\\\"" 
| eval country_scheme = country . ":" . scheme
| timechart count BY country_scheme

View solution in original post

woodcock · ‎10-08-2018

You have to create an aggregate field like this:

index="my_index" base_search 
| rex "\\\\\"country\\\\\":\\\\\"(?<country>\w+)\\\\\"" 
| rex "\\\\\"scheme\\\\\":\\\\\"(?<scheme>\w+)\\\\\"" 
| eval country_scheme = country . ":" . scheme
| timechart count BY country_scheme

rojyates · ‎10-24-2019

An alternative to | eval country_scheme = country . ":" . scheme is to use strcat:

| strcat country ":" scheme country_scheme
| timechart count BY country_scheme

How do you Timechart by multiple fields?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation