Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to chart over multiple fields?

mahesh27
Communicator
‎07-25-2023 10:44 AM

my query:

index=abd   ("start app"  AND  "app listed")  |rex field=_raw "APP:\s+(<application1>\S+)"
|rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
|dedup dip
|chart over application1
|appendcols
[|search index=abd ("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") AND  "state: complete"
 |rex field=_raw "APP:  (?<application2>\w+)"
|rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
|dedup dip
|chart over application2




i want output as shown below: HOW TO GET THIS??

application1 count application2 count
L1 10 L1 15
M2 20 M2 4
L3 45 L3 100
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-25-2023 11:01 AM

Hi @mahesh27 ,

have application1 and application2 the same values? and you want the count of each value in application1 and application2?

if yes, you could try something like this:

index=abd   ("start app"  AND  "app listed") OR (("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") "state: complete")
| rex field=_raw "APP:\s+(<application>\S+)"
| rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
| eval app=if(searchmatch("state: complete"),"application2","application1"
| chart 
   count(eval(app="application1")) AS application1
   count(eval(app="application2")) AS application2
   BY application

Ciao.

Giuseppe

0 Karma
Reply

mahesh27
Communicator
‎07-25-2023 11:17 AM

@gcusello , application 1 and application 2 has same application names but different counts, so i want to get the application names and count separately for each application.

i tried the query which you provided i am not getting any results.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-26-2023 08:40 AM

Hi @mahesh27 

with my solution, you have a different count for application1 and application2.

the issue should be on the regexes, could you share some samples from application1 and application2?

Ciao.

Giuseppe

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-25-2023 04:28 PM

Have you accounted for some syntax errors?  A valid search would look like

index=abd  ( ("start app"  AND  "app listed") OR ("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") AND "state: complete")
| rex field=_raw "APP:\s+(?<application>\S+)"
| rex field=_raw "LLA:\s+\[(?<dip>[^\]]+)."
| dedup dip
| eval app=if(searchmatch("state: complete"),"application2","application1")
| chart 
   count(eval(app="application1")) AS application1
   count(eval(app="application2")) AS application2
   BY application

If there is no output, it simply means that | rex field=_raw "APP:\s+(?<application>\S+)" (which @gcusello copied from your sample code) extracts nothing.  You need to examine your raw data and find out what is the correct regex.  Alternatively, you will need to post data samples to get help on regex.

Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
li.common.scroll-to.top