How to convert "OR" result to line chart

Question

I have a query to get the browser info for every event.

"http://" index=web GET (Chrome OR Safari OR IE OR Firefox)

How can I convert the result to a line chart to get browser usage based on different browsers? I can create line chart for each browser but I want to show the usage on the same chart.

score 1 · Answer 1 · answered Aug 14 '19 at 16:19

1

The browser should be a Field (check your log body to find field name). If this is a case you need to pipe a stats count statement, for example :

"http://" AND index=web | stats count by `browser`

(we assume that Field name is browser)

Visualization will give you the chart view.

answered Aug 14 '19 at 16:19

Tsakiroglou Fotis

953
8
24

The problem is browser information is part of another filed like useragent: some information/chrome(can be IE, Firefox....)/version...... If I count by useragent, it will count all the useragent not specific browser. – HenlenLee Aug 14 '19 at 17:11
and why don't you use a regex?Check this : https://stackoverflow.com/questions/32359316/splunk-query-for-counting-based-on-regex and the count like : | stats count as mycount by browser – Tsakiroglou Fotis Aug 15 '19 at 08:33

How to convert "OR" result to line chart

1 Answers1