Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to chart over multiple fields?

mahesh27
Communicator
‎07-25-2023 10:44 AM

my query:

index=abd   ("start app"  AND  "app listed")  |rex field=_raw "APP:\s+(<application1>\S+)"
|rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
|dedup dip
|chart over application1
|appendcols
[|search index=abd ("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") AND  "state: complete"
 |rex field=_raw "APP:  (?<application2>\w+)"
|rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
|dedup dip
|chart over application2




i want output as shown below: HOW TO GET THIS??

application1 count application2 count
L1 10 L1 15
M2 20 M2 4
L3 45 L3 100
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-25-2023 11:01 AM

Hi @mahesh27 ,

have application1 and application2 the same values? and you want the count of each value in application1 and application2?

if yes, you could try something like this:

index=abd   ("start app"  AND  "app listed") OR (("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") "state: complete")
| rex field=_raw "APP:\s+(<application>\S+)"
| rex field=_raw "LLA:\s+\[?<dip>[^\]]+)."
| eval app=if(searchmatch("state: complete"),"application2","application1"
| chart 
   count(eval(app="application1")) AS application1
   count(eval(app="application2")) AS application2
   BY application

Ciao.

Giuseppe

0 Karma
Reply

mahesh27
Communicator
‎07-25-2023 11:17 AM

@gcusello , application 1 and application 2 has same application names but different counts, so i want to get the application names and count separately for each application.

i tried the query which you provided i am not getting any results.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-26-2023 08:40 AM

Hi @mahesh27 

with my solution, you have a different count for application1 and application2.

the issue should be on the regexes, could you share some samples from application1 and application2?

Ciao.

Giuseppe

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-25-2023 04:28 PM

Have you accounted for some syntax errors?  A valid search would look like

index=abd  ( ("start app"  AND  "app listed") OR ("POST /ui/logs" OR  "POST /ui/data" OR "POST /ui/vi/reg") AND "state: complete")
| rex field=_raw "APP:\s+(?<application>\S+)"
| rex field=_raw "LLA:\s+\[(?<dip>[^\]]+)."
| dedup dip
| eval app=if(searchmatch("state: complete"),"application2","application1")
| chart 
   count(eval(app="application1")) AS application1
   count(eval(app="application2")) AS application2
   BY application

If there is no output, it simply means that | rex field=_raw "APP:\s+(?<application>\S+)" (which @gcusello copied from your sample code) extracts nothing.  You need to examine your raw data and find out what is the correct regex.  Alternatively, you will need to post data samples to get help on regex.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...