- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Query Help: Sorting Results by Group
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search that gives me the date and total number of projects:
index=eis_continuous_integration sourcetype=eisci
| timechart span=1d count as projectTypes by SRCProject
| rename _time as Date
|convert timeformat="%m/%d/%Y" ctime(Date)
How can I make it so the results are also sorted by Group ( Group is a field extracted in which its values are ESB, CG, and EG). I'd like to make it so the chart displays a break down of each group by project. When I use ...| timechart span=1d count as projectTypes by SRCProject, Group, Splunk sees ", Group" as an invalid argument.
Do you know how I could modify this query to display the results I'm looking for?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @aholzer points out, timechart can have only 1 field after the by. However, if you want a table, you could do it this way
index=eis_continuous_integration sourcetype=eisci
| bucket span=1d _time as Date
| stats count as projectTypes by Date SRCProject Group
| eval Date = strftime(Date, ""%m/%d/%Y"")
Another alternative is this
index=eis_continuous_integration sourcetype=eisci
| eval ProjectGroup = SRCProject . " - " . Group
| timechart span=1d count as projectTypes by ProjectGroup
| rename _time as Date
| convert timeformat="%m/%d/%Y" ctime(Date)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search |sort group|bucket _time span=1d |chart count by _time,project,group
moreover you can also use stats and make a table of your choice to show on dashboard.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @aholzer points out, timechart can have only 1 field after the by. However, if you want a table, you could do it this way
index=eis_continuous_integration sourcetype=eisci
| bucket span=1d _time as Date
| stats count as projectTypes by Date SRCProject Group
| eval Date = strftime(Date, ""%m/%d/%Y"")
Another alternative is this
index=eis_continuous_integration sourcetype=eisci
| eval ProjectGroup = SRCProject . " - " . Group
| timechart span=1d count as projectTypes by ProjectGroup
| rename _time as Date
| convert timeformat="%m/%d/%Y" ctime(Date)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe a chart with Date, SRCProject,EG,ESB,CG as headers and the values underneath?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all! I like index=eis_continuous_integration sourcetype=eisci
|search Group="EG"
| bucket span=1d _time as Date
| stats count as totalTypes by Date, SRCProject, Group
| eval Date = strftime(Date, "%m/%d/%Y")
How can I modify this so in the chart in stead of "Group", It shows "EG" as a header, and the value "30" under it. Is that possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart only accepts one 'by' field. You wouldn't be able to timechart your results. If you just want a table of results then use stats and you can use as many fields as you want in your 'by'. Then simply add a pipe to a 'sort' to list the fields in decreasing priority how you would like them sorted.
Hope this helps
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
