Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart per minute by multiple fields

sahil237888
Path Finder
‎02-02-2020 10:05 AM

Hi,

I have two fields with different values and I want count on both basis. These are events and hosts occured in log files.

Example -

I have fields like host and event.
Host values are like A , B, C,D.
Events are like reboot , running, shutdown.

And the results should show like -

_time A:reboot A:shutdown B:reboot C:running
00:01 1 2 1 4
00:02 2 4 3 1
00:03 0 1 4 5
00:04 1 2 0 1

0 Karma
Reply

to4kawa
Ultra Champion
‎02-03-2020 04:57 AM

sample:

| makeresults 
| eval host="a;b", events="reboot;running;shutdown" 
| makemv delim=";" host 
| makemv delim=";" events 
| stats values(_time) as _time by host events
| stats sum(eval(events="reboot")) as reboot sum(eval(events="running")) as running sum(eval(events="shutdown")) as shutdown by _time host
| xyseries _time host reboot running shutdown sep="_"
| foreach *_* [ rename <<FIELD>> as <<MATCHSEG2>>_<<MATCHSEG1>>]

recommend:

your_search
| bin _time span=1min
| stats count(eval(events="reboot")) as reboot count(eval(events="running")) as running count(eval(events="shutdown")) as shutdown by _time host
| xyseries _time host reboot running shutdown sep="_"
| foreach *_* [ rename <<FIELD>> as <<MATCHSEG2>>:<<MATCHSEG1>>]

Hi, @sahil237888
@MuS 's way is simple and good.
However, there is a problem.
If there is no status in the search period, the status will not be displayed.
If you need to output 0 as a result of three statuses, use my query.

0 Karma
Reply

MuS
Legend
‎02-02-2020 12:47 PM

Hi sahil237888,

you need to create a new field that represent host and the events and use this in the timechart command, take a look at this run everywhere SPL:

| makeresults 
| eval host="a;b", events="reboot;running;shutdown" 
| makemv delim=";" host 
| makemv delim=";" events 
| mvexpand host 
| mvexpand events 
| eval joiner=host .":". events 
| timechart span=1min count by joiner

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...