Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problem in Search Command

sbnoobbb
Path Finder
‎07-17-2013 11:36 PM

Hi,

Please take a look at my table below which i came up with using this search command

sourcetype="json_onemap" | stats max(cases) as NoOfCases by description location _time | sort -_time

I manage to come up with this search command to see an overview of the data i want to retrieve but I just could not derive the logic. I need to sum up the no. of cases in each description with the same location in the given day.

Please help me!

alt text

I want to achieve something like this:

alt text

Thank you and have a nice day ahead !

Tags (2)
Reply

clymbouris
Path Finder
‎07-20-2013 10:41 PM

Hi,

I wouldn't use the _time field in this case. If you want a time trend a sparkline can give you a good indication of when cases happened throughout the day. How about you summarize using something like

search.. | stats sparkline sum(cases) as NoOfCases by location

0 Karma
Reply

sbnoobbb
Path Finder
‎07-19-2013 12:58 AM

What I want to achieve is to add up all the cases in the same location, but I have lots of duplicate event inside splunk. The data came out incorrect when i use sum.Is okay, I have solved the problem.
Thanks anyway (:

0 Karma
Reply

asimagu
Builder
‎07-18-2013 07:49 PM

do you want to achieve that at the same time that you get that table?? coz otherwise you can always omit "description" in your search, sorry not sure if I understood what you are after

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...