Splunk Search
Highlighted

How to get event counts for multiple fields grouped by another field?

Path Finder

Hello all,

New to Splunk and been trying to figure out this for a while now. Not making much progress, so thought I'd ask the experts. I would like to count events for two fields grouped by another field.

Right now, if I run the following command, I get the results I'm looking for, but the way they are being displayed is not exactly how I would like it.

searchHere | stats count as total by cust_action, account | stats values(cust_action) AS action, values(total) by account

This provides me something like shown below:

 account      action           total
 userA      submitted       4
              resubmitted     1
 userB      submitted       1
              resubmitted      0
 userC      submitted       1
              resubmitted     3
              cancelled     1

What I would like to do is have the column name in the results be the value from cust_action field and put the count below each one by per account

account     submitted     resubmitted     cancelled
userA      4             1               0

userB      1             0               0

userC      1             3               1

Thanks for the help in advanced.

Tags (3)
Highlighted

Re: How to get event counts for multiple fields grouped by another field?

SplunkTrust
SplunkTrust

This should do it

searchHere | chart count as total over account by cust_action

View solution in original post

0 Karma
Highlighted

Re: How to get event counts for multiple fields grouped by another field?

Esteemed Legend

Like this:

searchHere | chart  count BY account cust_action
0 Karma