Solved: How to table the count of each instance of fieldA,...

stage1v8 · ‎06-10-2015

Hi all,

I am trying to search some logs that have event_name and event_number. I want to produce a table that shows a count of how many instances of the event_number exist, but also show the event_name field next to it for reference.

So a table with 3 columns:
event_number, event_name, count

I can get one or the other, but not both.
This works for one: index=index1 | chart count by event_number
This works for one: index=index1 | chart count by event_name
This doesn't work: index=index1 | chart count by event_name event_number
Nor this: index=index1 | chart count by event_number | fields event_number event_name count

Does what I am trying to achieve make sense?

Any suggestions?

Thanks

stage1v8 · ‎06-10-2015

After lots of googling, I seem to have answered it myself

index=index1 | stats count(event_name) by event_name event_number | sort event_number

View solution in original post

stage1v8 · ‎06-10-2015

After lots of googling, I seem to have answered it myself

index=index1 | stats count(event_name) by event_name event_number | sort event_number

How to table the count of each instance of fieldA, but also show fieldB as an additional column next to it for reference?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms