Is there a way to group by multiple fields in a ti...

daniel333 · ‎12-15-2017

All,

I am looking to create a single timechart which displays the count of status by requestcommand by action. So two "by's". Maybe I should compound the field?

tag=myrest "https://api.mydomain.net/somemethod/listings/*" host=MYHOST*
| rex field=_raw "action=(?<requestcommand>RELEASE|HOLD|EXTEND|PURCHASE)"
| rename event.Properties.LogEntry.ResponseStatusCode AS status
| search status=*
| timechart count(status) by action, requestcommand

mayurr98 · ‎12-15-2017

Try this :

tag=myrest "https://api.mydomain.net/somemethod/listings/*" host=MYHOST* 
| bin _time span=5m \\specify time span 
| rex field=_raw "action=(?<requestcommand>RELEASE|HOLD|EXTEND|PURCHASE)" 
| rename event.Properties.LogEntry.ResponseStatusCode AS status 
| search status=* 
| stats count(status) as status_count by _time action requestcommand

Let me know if this helps!

somesoni2 · ‎12-15-2017

Yes.. combine the field before your timechart command.

...| eval action_rcommand=action.":".requestcommand
| timechart count(status) by action_rcommand

Is there a way to group by multiple fields in a timechart?

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

Is there a way to group by multiple fields in a timechart?

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2