Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to chart over multiple fields?

mahesh27
Communicator
‎07-25-2023 10:44 AM

my query:

index=abd   ("start app"  AND  "app listed")  |rex field=_raw "APP:\s+(<application1>\S+)"
|rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
|dedup dip
|chart over application1
|appendcols
[|search index=abd ("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") AND  "state: complete"
 |rex field=_raw "APP:  (?<application2>\w+)"
|rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
|dedup dip
|chart over application2




i want output as shown below: HOW TO GET THIS??

application1 count application2 count
L1 10 L1 15
M2 20 M2 4
L3 45 L3 100
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-25-2023 11:01 AM

Hi @mahesh27 ,

have application1 and application2 the same values? and you want the count of each value in application1 and application2?

if yes, you could try something like this:

index=abd   ("start app"  AND  "app listed") OR (("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") "state: complete")
| rex field=_raw "APP:\s+(<application>\S+)"
| rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
| eval app=if(searchmatch("state: complete"),"application2","application1"
| chart 
   count(eval(app="application1")) AS application1
   count(eval(app="application2")) AS application2
   BY application

Ciao.

Giuseppe

0 Karma
Reply

mahesh27
Communicator
‎07-25-2023 11:17 AM

@gcusello , application 1 and application 2 has same application names but different counts, so i want to get the application names and count separately for each application.

i tried the query which you provided i am not getting any results.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-26-2023 08:40 AM

Hi @mahesh27 

with my solution, you have a different count for application1 and application2.

the issue should be on the regexes, could you share some samples from application1 and application2?

Ciao.

Giuseppe

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-25-2023 04:28 PM

Have you accounted for some syntax errors?  A valid search would look like

index=abd  ( ("start app"  AND  "app listed") OR ("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") AND "state: complete")
| rex field=_raw "APP:\s+(?<application>\S+)"
| rex field=_raw "LLA:\s+\[(?<dip>[^\]]+)."
| dedup dip
| eval app=if(searchmatch("state: complete"),"application2","application1")
| chart 
   count(eval(app="application1")) AS application1
   count(eval(app="application2")) AS application2
   BY application

If there is no output, it simply means that | rex field=_raw "APP:\s+(?<application>\S+)" (which @gcusello copied from your sample code) extracts nothing.  You need to examine your raw data and find out what is the correct regex.  Alternatively, you will need to post data samples to get help on regex.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...