My Splunk Search is as follows
index="someindex" cf_space_name="somespace" msg.severity="*" | rex field=msg.message ".*METHOD:(?<method>.*),\sREQUEST_URI>.*),\sRESPONSE_CODE:(?<responseCode>.*),\sRESPONSE_TIME:(?<responseTime>.*)\sms" | stats count by msg.service,method, requestURI, responseCode | sort -count
Result Table
| msg.service | method | requestURI | responseCode | Count |
| serviceA | GET | /v1/service/a | 200 | 327 |
| serviceB | POST | /v1/service/b | 200 | 164 |
| serviceA | POST | /v1/service/a | 200 | 91 |
Under Visualization, I am trying to change this as a bar chart.
I am getting all four fields on the x-axis. msg.service is mapped with count, and responseCode is mapped with responseCode. The other 2 fields are not visible since they are non-numeric fields.
if I remove fields using the following I get the proper chart (just msg.service mapped with count)
my query | fields -responseCode, method, reqeustURI
But I need something like this on the x and y axis
| x axis | y axis |
| serviceA GET v1/service/a 200 | 327 |
| serviceB POST /v1/service/b 200 | 164 |
| serviceA POST/v1/service/a 200 | 91 |
How to achieve this?
