Solved: group values in search

wsw70 · ‎12-19-2011

Hello,

I have data in the form of a date,server,events triplet. The fields are correctly extracted and assigned.

date1,server1,3
date2,server2,5
date3,server3,2
date4,server4,2

server1, server2 and server4 are all part of the same group, EMEA. server3 is not part of any group.

I am looking at ultimately creating a bar chart with the groups and non-grouped servers all together - with the number of events summed up:

EMEA      |---|-----|--|
server3   |--|

The bars are stacked and the stack is made up by the servers in a group.

The closest I found is using lookups with an OUTPUT clause (lookup OSServersRegions.csv server OUTPUT region) -- this works fine except that I get three pairs (region,number). I do not know how to chart so that the results are stacked by server within a region.

In other words what I get today is

EMEA      |----------|
AP        |--|

What would be the magic incantation to get the stacks? 🙂

Thanks!

Ayn · ‎12-19-2011

Given a bunch of servers with their respective event count and their region, how about this:

... | chart count over region by server

View solution in original post

Ayn · ‎12-19-2011

Given a bunch of servers with their respective event count and their region, how about this:

... | chart count over region by server

wsw70 · ‎12-19-2011

Wonderful, thanks. I still have a hard time completely understanding the philosophy behind the general splunk syntax

group values in search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation