I have following splunk fields
Date,Group,State
State can have following values InProgress|Declined|Submitted
I like to get following result
Date. Group. TotalInProgress. TotalDeclined TotalSubmitted. Total
-----------------------------------------------------------------------------
12-12-2021 A. 13. 10 15 38
I couldn't figured it out. Any help would be appreciated
Perhaps this example query will help.
| makeresults | eval _raw="Date,Group,State
12-12-2021,A,InProgress
12-12-2021,B,InProgress
12-12-2021,A,Declined
12-12-2021,A,InProgress
12-12-2021,A,Submitted
12-12-2021,B,Submitted
12-12-2021,A,InProgress
12-12-2021,A,InProgress
12-12-2021,B,Declined
12-12-2021,A,InProgress
12-12-2021,A,Submitted
12-12-2021,A,Submitted"
| multikv forceheader=1
```Above lines just set up test data```
```Set variables based on the State field```
| eval InProgress=if(State="InProgress", 1, 0), Declined=if(State="Declined", 1, 0), Submitted=if(State="Submitted", 1, 0)
```Count events```
| stats count as Total, sum(InProgress) as TotalInProgress, sum(Declined) as TotalDeclined, sum(Submitted) as TotalSubmitted by Date,Group
| table Date Group TotalInProgress TotalDeclined TotalSubmitted Total
