Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query Help: Sorting Results by Group

_gkollias
Builder
‎01-29-2014 11:46 AM

I have a search that gives me the date and total number of projects:

index=eis_continuous_integration sourcetype=eisci
| timechart span=1d count as projectTypes by SRCProject
| rename _time as Date
|convert timeformat="%m/%d/%Y" ctime(Date)

How can I make it so the results are also sorted by Group ( Group is a field extracted in which its values are ESB, CG, and EG). I'd like to make it so the chart displays a break down of each group by project. When I use ...| timechart span=1d count as projectTypes by SRCProject, Group, Splunk sees ", Group" as an invalid argument.

Do you know how I could modify this query to display the results I'm looking for?

Thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-29-2014 12:33 PM

As @aholzer points out, timechart can have only 1 field after the by. However, if you want a table, you could do it this way

index=eis_continuous_integration sourcetype=eisci 
| bucket span=1d  _time  as Date
| stats count as projectTypes by Date SRCProject Group
| eval Date = strftime(Date, ""%m/%d/%Y"")

Another alternative is this

index=eis_continuous_integration sourcetype=eisci 
| eval ProjectGroup = SRCProject . "  -  " . Group
| timechart span=1d count as projectTypes by ProjectGroup
| rename _time as Date 
| convert timeformat="%m/%d/%Y" ctime(Date)

View solution in original post

Reply
Solved! Jump to solution

linu1988
Champion
‎01-29-2014 12:45 PM

search |sort group|bucket _time span=1d |chart count by _time,project,group

moreover you can also use stats and make a table of your choice to show on dashboard.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-29-2014 12:33 PM

As @aholzer points out, timechart can have only 1 field after the by. However, if you want a table, you could do it this way

index=eis_continuous_integration sourcetype=eisci 
| bucket span=1d  _time  as Date
| stats count as projectTypes by Date SRCProject Group
| eval Date = strftime(Date, ""%m/%d/%Y"")

Another alternative is this

index=eis_continuous_integration sourcetype=eisci 
| eval ProjectGroup = SRCProject . "  -  " . Group
| timechart span=1d count as projectTypes by ProjectGroup
| rename _time as Date 
| convert timeformat="%m/%d/%Y" ctime(Date)
Reply
Solved! Jump to solution

_gkollias
Builder
‎01-29-2014 01:17 PM

Maybe a chart with Date, SRCProject,EG,ESB,CG as headers and the values underneath?

0 Karma
Reply
Solved! Jump to solution

_gkollias
Builder
‎01-29-2014 01:15 PM

Thanks all! I like index=eis_continuous_integration sourcetype=eisci
|search Group="EG"
| bucket span=1d _time as Date
| stats count as totalTypes by Date, SRCProject, Group
| eval Date = strftime(Date, "%m/%d/%Y")

How can I modify this so in the chart in stead of "Group", It shows "EG" as a header, and the value "30" under it. Is that possible?

0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎01-29-2014 11:57 AM

Timechart only accepts one 'by' field. You wouldn't be able to timechart your results. If you just want a table of results then use stats and you can use as many fields as you want in your 'by'. Then simply add a pipe to a 'sort' to list the fields in decreasing priority how you would like them sorted.

Hope this helps

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...