ℕʘʘḆḽḘ
Reputation: 19375
how count and plot several searches at once?
I am counting the number of hits on my website using splunk. My current search looks for a keywordA as follows:
index=mydata keywordA |bucket _time span=day |stats count by _time
However, I would like to add several other searches to the output, say for other keywords (keywordB for instance):
index=mydata keywordB |bucket _time span=day |stats count by _time
Note: these searches are not necessarily mutually exlusive! So the searches need to be run independently.
I would like to have the total daily count for each search at once, so that I avoid running each search separately.
Output should be:
day keyA keyB
2020-01-01 423 354
2020-01-02 523 254
What is the best way to proceed?
Thanks!
Upvotes: 0
Views: 241
Answers (1)
RichG
Reputation: 9916
Try this search that combines your two. Other than the stats command, it doesn't scale well for many keywords.
index=mydata (keywordA OR keywordB)
| bin span=1d _time
| eval keyword = case(match(_raw, "keywordA"), "keywordA", match(_raw, "keywordB"), "keywordB", 1==1, "other")
| stats count by _time, keyword
Upvotes: 1
Related Questions
- How to do cross validation and counts between two search queries using Multisearch
- Splunk: How to get two searches in one timechart/graph?
- Splunk how to display multiple stats queries in table?
- Splunk query - Total or Count by field
- Count and sum in splunk
- How to add multiple queries in one search in Splunk
- How to count the total number of events in a splunk search result?
- How to accumulate counts from different searches into one (pie) chart?
- How to count results in Splunk and put them in a table?
- Splunk Query Count of Count