- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Query Help: Sorting Results by Group
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search that gives me the date and total number of projects:
index=eis_continuous_integration sourcetype=eisci
| timechart span=1d count as projectTypes by SRCProject
| rename _time as Date
|convert timeformat="%m/%d/%Y" ctime(Date)
How can I make it so the results are also sorted by Group ( Group is a field extracted in which its values are ESB, CG, and EG). I'd like to make it so the chart displays a break down of each group by project. When I use ...| timechart span=1d count as projectTypes by SRCProject, Group, Splunk sees ", Group" as an invalid argument.
Do you know how I could modify this query to display the results I'm looking for?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @aholzer points out, timechart can have only 1 field after the by. However, if you want a table, you could do it this way
index=eis_continuous_integration sourcetype=eisci
| bucket span=1d _time as Date
| stats count as projectTypes by Date SRCProject Group
| eval Date = strftime(Date, ""%m/%d/%Y"")
Another alternative is this
index=eis_continuous_integration sourcetype=eisci
| eval ProjectGroup = SRCProject . " - " . Group
| timechart span=1d count as projectTypes by ProjectGroup
| rename _time as Date
| convert timeformat="%m/%d/%Y" ctime(Date)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search |sort group|bucket _time span=1d |chart count by _time,project,group
moreover you can also use stats and make a table of your choice to show on dashboard.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As @aholzer points out, timechart can have only 1 field after the by. However, if you want a table, you could do it this way
index=eis_continuous_integration sourcetype=eisci
| bucket span=1d _time as Date
| stats count as projectTypes by Date SRCProject Group
| eval Date = strftime(Date, ""%m/%d/%Y"")
Another alternative is this
index=eis_continuous_integration sourcetype=eisci
| eval ProjectGroup = SRCProject . " - " . Group
| timechart span=1d count as projectTypes by ProjectGroup
| rename _time as Date
| convert timeformat="%m/%d/%Y" ctime(Date)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe a chart with Date, SRCProject,EG,ESB,CG as headers and the values underneath?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all! I like index=eis_continuous_integration sourcetype=eisci
|search Group="EG"
| bucket span=1d _time as Date
| stats count as totalTypes by Date, SRCProject, Group
| eval Date = strftime(Date, "%m/%d/%Y")
How can I modify this so in the chart in stead of "Group", It shows "EG" as a header, and the value "30" under it. Is that possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timechart only accepts one 'by' field. You wouldn't be able to timechart your results. If you just want a table of results then use stats and you can use as many fields as you want in your 'by'. Then simply add a pipe to a 'sort' to list the fields in decreasing priority how you would like them sorted.
Hope this helps
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
