Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple grouping ofdata over chart

ujwalagangakoth
New Member
‎01-10-2018 01:02 AM

alt textI have to group defects based on severity and again based on release.the chart should contain multiple grouping first by severity then by release.I have two envs prod and pre prod .I have to group preprod and prod based on severity i.e for sev1 we need preprod and prod grouping same goes for sev2 and sev3 ,then these sev1,sev2,sev3 will be again grouped by release. so in chart , i need release wise grouping and in each release ,each severit contains prod and pre prod
index="index" sourcetype="defects" (STATE="Closed" OR STATE="Retest Complete") DETECTED_IN_RELEASE="" SEVERITY="" ENVIRONMENT=D000002 OR ENVIRONMENT=D000007 OR ENVIRONMENT=Prod OR ENVIRONMENT=Production|sort DETECTED_IN_RELEASE |stats count(eval(ENVIRONMENT= "D000002" OR ENVIRONMENT="D000007")) as PPROD_IND count(eval(ENVIRONMENT="Prod" OR ENVIRONMENT="Production")) as PROD_IND by DETECTED_IN_RELEASE SEVERITY | stats sum(PPROD_IND) as TOT_PPROD sum(PROD_IND) as TOT_PROD by DETECTED_IN_RELEASE SEVERITY
| eval DRE%=round(TOT_PPROD/(TOT_PPROD+TOT_PROD)*100,1)
|rename DETECTED_IN_RELEASE as Release
| chart sum(TOT_PPROD) as PPROD sum(TOT_PROD) as PROD over Release by SEVERITY

This is the query i am using but I am not able to dispaly DIE% as overlay field and also I need further classiifcation of Release i.e consider there are releases ab,cd,de,ef chart should display the fields in this format in three level grouping

PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod (env grouping)
Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3 (severity grouping)
ab cd ef (release grouping)

Tags (2)
Preview file
66 KB
0 Karma
Reply

mayurr98
Super Champion
‎01-10-2018 04:45 AM

hey if you give us sample input event and output you want to achieve then it would be good.
Meanwhile try this

index=your_index | stats count  as no_of_defects by  prod_environment severity release

let me know if this helps you!

0 Karma
Reply

ujwalagangakoth
New Member
‎01-10-2018 06:21 AM

index="index" sourcetype="defects" (STATE="Closed" OR STATE="Retest Complete") DETECTED_IN_RELEASE="" SEVERITY="" ENVIRONMENT=D000002 OR ENVIRONMENT=D000007 OR ENVIRONMENT=Prod OR ENVIRONMENT=Production|sort DETECTED_IN_RELEASE |stats count(eval(ENVIRONMENT= "D000002" OR ENVIRONMENT="D000007")) as PPROD_IND count(eval(ENVIRONMENT="Prod" OR ENVIRONMENT="Production")) as PROD_IND by DETECTED_IN_RELEASE SEVERITY | stats sum(PPROD_IND) as TOT_PPROD sum(PROD_IND) as TOT_PROD by DETECTED_IN_RELEASE SEVERITY
| eval DRE%=round(TOT_PPROD/(TOT_PPROD+TOT_PROD)*100,1)
|rename DETECTED_IN_RELEASE as Release
| chart sum(TOT_PPROD) as PPROD sum(TOT_PROD) as PROD over Release by SEVERITY

This is the query i am using but I am not able to dispaly DIE% as overlay field and also I need further classiifcation of Release i.e consider there are releases ab,cd,de,ef chart should display the fields in this format

PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod PProd,Prod
Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3 Sev 1 Sev2 Sev3
ab cd ef

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...