How to Count multiple fields in histogram?

rpecka · ‎06-27-2022

I have rows in the form:

ID

Field1

Field2

Field3

And I would like to create a histogram that shows the values of all three fields.

I can make one for Field1 by doing stats count by Field1 span=1000 but I can't seem to figure out how I would get the other values into the same table. Do I need to do multiple searches and join them? How would I go about doing that?

ITWhisperer · ‎07-01-2022

It is not clear what you expect the result to look like - for example, if field1 contains either "A", "B", or "C", and field2 contains either "A", "B", or "C", do you want the frequency of "A" in field1 counted separately from the frequency of "A" in field2, etc.?

yuanliu · ‎06-27-2022

You can bin every field before counting, e.g.,

index=_internal
| bin date_hour
| bin date_minute
| bin date_second
| stats count by date_hour date_minute date_second

Would this work for your scenario?

gcusello · ‎06-27-2022

Hi @rpecka,

probably the solution hinted by @yuanliu is the correct one, if you want the values of field1 field2 and field3 for each ID, you could try this:

index=your_index
| stats count(field1) AS field1 count(field2) AS field2 count(field3) AS field3 BY ID

Ciao.

Giuseppe

How to Count multiple fields in histogram?

chart

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies