Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What syntax can I use to run a search that sorts v...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have data for 1 day where I want to sort it with activity like following manner, total number of records took 0-3 sec , total number of records took 3-4 and goes on. Want to present it in one query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two basic syntaxes you can use (probably a dozen more, but these two demonstrate the top two in use)
your query here
| eval mygroup=case(Val_value>=0 AND Val_value<=3,"0.0 to 3.0",
Val_value>3 AND Val_value<=4,"3.0+ to 4.0",
Val_value>4 AND Val_value<=5,"4.0+ to 5.0",
Val_value>5 AND Val_value<=6,"5.0+ to 6.0",
true(),"6.0+")
...then your choice of one of these two...
| stats count by mygroup
| chart count by mygroup
stats presents one record per value of mygroup, chart would present them horizontally.
... OR ...
your query here
| stats count(eval(Val_value>=0 AND Val_value<=3)) as "0.0 to 3.0",
count(eval(Val_value>3 AND Val_value<=4)) as "3.0+ to 4.0",
count(eval(Val_value>4 AND Val_value<=5)) as "4.0+ to 5.0",
count(eval(Val_value>5 AND Val_value<=6)) as "5.0+ to 6.0",
count(eval(Val_value>6)) as "6.+"
This second version presents them horizontally. If you wanted to change them to vertically, you could do it the other way, or add this afterward...
| eval junk=1
| untable junk mygroup count
| fields - junk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@DalJeanis can create a pi chart or graph for the above query ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two basic syntaxes you can use (probably a dozen more, but these two demonstrate the top two in use)
your query here
| eval mygroup=case(Val_value>=0 AND Val_value<=3,"0.0 to 3.0",
Val_value>3 AND Val_value<=4,"3.0+ to 4.0",
Val_value>4 AND Val_value<=5,"4.0+ to 5.0",
Val_value>5 AND Val_value<=6,"5.0+ to 6.0",
true(),"6.0+")
...then your choice of one of these two...
| stats count by mygroup
| chart count by mygroup
stats presents one record per value of mygroup, chart would present them horizontally.
... OR ...
your query here
| stats count(eval(Val_value>=0 AND Val_value<=3)) as "0.0 to 3.0",
count(eval(Val_value>3 AND Val_value<=4)) as "3.0+ to 4.0",
count(eval(Val_value>4 AND Val_value<=5)) as "4.0+ to 5.0",
count(eval(Val_value>5 AND Val_value<=6)) as "5.0+ to 6.0",
count(eval(Val_value>6)) as "6.+"
This second version presents them horizontally. If you wanted to change them to vertically, you could do it the other way, or add this afterward...
| eval junk=1
| untable junk mygroup count
| fields - junk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@DalJeanis, thanks for the update, let me try and will post my result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently I have separate query as follows :
query 1 : where Val_value>=0 AND Val_value<=3 | stats count
query 2 : where Val_value>=3.1 AND Val_value<=4 | stats count
query 3 : where Val_value>=4.1 AND Val_value<=5 | stats count
query 4 : where Val_value>=5.1 AND Val_value<=6 | stats count
So I want to merge the above request into 1 query. How to do it ?
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
