Splunk Search
Highlighted

How to get stats count results broken down per field?

Path Finder

I have some logs where there are actions and a site associated with that action, for example CREATE, site_1.

I am trying to have a count of how many CREATE, DELETE, UPLOAD, etc for each site in a table.

I can get it by doing a stats count(site_name) by action, but all I get returned is just a count(site_name) for the second column instead of the individual site names.

Tags (3)
Highlighted

Re: How to get stats count results broken down per field?

SplunkTrust
SplunkTrust

There are a ton of search commands in the Splunk search language but there's about 5 of them that are more important than the rest combined. Among these are "stats" and "chart", which seem similar but have very important differences.

Here's a link for more about stats vs chart. http://answers.splunk.com/answers/32001/difference-stats-and-chart.html

the key thing here is that you want chart count over site_name by action

View solution in original post

Highlighted

Re: How to get stats count results broken down per field?

Path Finder

This worked perfectly thanks for the explanation. I was wondering if chart would have worked better in this situation, I didn't know about the 'over' keyword.

0 Karma