Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multiple grouping ofdata over chart

ujwalagangakoth
New Member
‎01-10-2018 01:02 AM

alt textI have to group defects based on severity and again based on release.the chart should contain multiple grouping first by severity then by release.I have two envs prod and pre prod .I have to group preprod and prod based on severity i.e for sev1 we need preprod and prod grouping same goes for sev2 and sev3 ,then these sev1,sev2,sev3 will be again grouped by release. so in chart , i need release wise grouping and in each release ,each severit contains prod and pre prod
index="index" sourcetype="defects" (STATE="Closed" OR STATE="Retest Complete") DETECTED_IN_RELEASE="" SEVERITY="" ENVIRONMENT=D000002 OR ENVIRONMENT=D000007 OR ENVIRONMENT=Prod OR ENVIRONMENT=Production|sort DETECTED_IN_RELEASE |stats count(eval(ENVIRONMENT= "D000002" OR ENVIRONMENT="D000007")) as PPROD_IND count(eval(ENVIRONMENT="Prod" OR ENVIRONMENT="Production")) as PROD_IND by DETECTED_IN_RELEASE SEVERITY | stats sum(PPROD_IND) as TOT_PPROD sum(PROD_IND) as TOT_PROD by DETECTED_IN_RELEASE SEVERITY
| eval DRE%=round(TOT_PPROD/(TOT_PPROD+TOT_PROD)*100,1)
|rename DETECTED_IN_RELEASE as Release
| chart sum(TOT_PPROD) as PPROD sum(TOT_PROD) as PROD over Release by SEVERITY

This is the query i am using but I am not able to dispaly DIE% as overlay field and also I need further classiifcation of Release i.e consider there are releases ab,cd,de,ef chart should display the fields in this format in three level grouping

PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod (env grouping)
Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3 (severity grouping)
ab cd ef (release grouping)

Tags (2)
Preview file
1 KB
0 Karma
Reply

mayurr98
Super Champion
‎01-10-2018 04:45 AM

hey if you give us sample input event and output you want to achieve then it would be good.
Meanwhile try this

index=your_index | stats count  as no_of_defects by  prod_environment severity release

let me know if this helps you!

0 Karma
Reply

ujwalagangakoth
New Member
‎01-10-2018 06:21 AM

index="index" sourcetype="defects" (STATE="Closed" OR STATE="Retest Complete") DETECTED_IN_RELEASE="" SEVERITY="" ENVIRONMENT=D000002 OR ENVIRONMENT=D000007 OR ENVIRONMENT=Prod OR ENVIRONMENT=Production|sort DETECTED_IN_RELEASE |stats count(eval(ENVIRONMENT= "D000002" OR ENVIRONMENT="D000007")) as PPROD_IND count(eval(ENVIRONMENT="Prod" OR ENVIRONMENT="Production")) as PROD_IND by DETECTED_IN_RELEASE SEVERITY | stats sum(PPROD_IND) as TOT_PPROD sum(PROD_IND) as TOT_PROD by DETECTED_IN_RELEASE SEVERITY
| eval DRE%=round(TOT_PPROD/(TOT_PPROD+TOT_PROD)*100,1)
|rename DETECTED_IN_RELEASE as Release
| chart sum(TOT_PPROD) as PPROD sum(TOT_PROD) as PROD over Release by SEVERITY

This is the query i am using but I am not able to dispaly DIE% as overlay field and also I need further classiifcation of Release i.e consider there are releases ab,cd,de,ef chart should display the fields in this format

PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod
Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3
ab cd ef

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...