Re: How do you use multiple by fields with a trell...

tgdvopab · ‎01-21-2019

Hi all,

I want to get the average from a value, group this by cluster and hostname and show the value in a timechart.

With the grid-view, I would like to have one panel for each cluster.

For example:

index=foo sourcetype=bar | timechart avg(Value) by cluster,hostname

And have for each cluster a separate panel.

Is this possible? I know that multiple by fields are possible with the stats-command.

But, I'm not able to group them with the grid view.

Someone can help me please?

niketn · ‎01-21-2019

@tgdvopab, what do you imply by Grid View? If you are on Splunk 6.6 or higher, try to feed the output of following query to Trellis Layout and Split by Cluster as aggregation field.

 index=foo sourcetype=bar 
| bin _time span=1h
| stats count by  cluster,hostname

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎01-21-2019

@tgdvopab if your issue is resolved, do go ahead and accept the answer to mark this question as resolved!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tgdvopab · ‎01-22-2019

Thanks for your answer! 🙂
Now I need to have the data from stats in a timechart.
So I think I need also the _time value in stats, for example: stats count by _time,cluster,hostname
But this doesn't work. Do you have an idea?

How do you use multiple by fields with a trellis layout?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation