Splunk Search

How to get event counts for multiple fields grouped by another field?

splunker1981
Path Finder

Hello all,

New to Splunk and been trying to figure out this for a while now. Not making much progress, so thought I'd ask the experts. I would like to count events for two fields grouped by another field.

Right now, if I run the following command, I get the results I'm looking for, but the way they are being displayed is not exactly how I would like it.

searchHere | stats count as total by cust_action, account | stats values(cust_action) AS action, values(total) by account

This provides me something like shown below:

 account      action           total
 userA      submitted       4
              resubmitted     1
 userB      submitted       1
              resubmitted      0
 userC      submitted       1
              resubmitted     3
              cancelled     1

What I would like to do is have the column name in the results be the value from cust_action field and put the count below each one by per account

account     submitted     resubmitted     cancelled
userA      4             1               0

userB      1             0               0

userC      1             3               1

Thanks for the help in advanced.

Tags (3)
1 Solution

somesoni2
Revered Legend

This should do it

searchHere | chart count as total over account by cust_action

View solution in original post

woodcock
Esteemed Legend

Like this:

searchHere | chart  count BY account cust_action
0 Karma

somesoni2
Revered Legend

This should do it

searchHere | chart count as total over account by cust_action
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...