I have some logs where there are actions and a site associated with that action, for example CREATE, site_1.
I am trying to have a count of how many CREATE, DELETE, UPLOAD, etc for each site in a table.
I can get it by doing a stats count(site_name) by action, but all I get returned is just a count(site_name) for the second column instead of the individual site names.
stats count(site_name) by action
There are a ton of search commands in the Splunk search language but there's about 5 of them that are more important than the rest combined. Among these are "stats" and "chart", which seem similar but have very important differences.
Here's a link for more about stats vs chart. http://answers.splunk.com/answers/32001/difference-stats-and-chart.html
the key thing here is that you want chart count over site_name by action
chart count over site_name by action
View solution in original post
This worked perfectly thanks for the explanation. I was wondering if chart would have worked better in this situation, I didn't know about the 'over' keyword.