https://community.splunk.com/t5/Dashboards-Visualizations/Create-TimeSpan-Line-Chart-After-Eval-ing/m-p/416204#M27363 <P>@migquinn If your problem is resolved, please accept the answer to help future readers.</P> Sat, 15 Jun 2019 11:10:51 GMT richgalloway 2019-06-15T11:10:51Z https://community.splunk.com/t5/Dashboards-Visualizations/Create-TimeSpan-Line-Chart-After-Eval-ing/m-p/416201#M27360 <P>Do any experienced Splunkers know what needs to be changed to my query below in order to create a TimeSpan Line Chart over say the past 30 days for counts of the four Severity levels created by the Eval command?</P> <PRE><CODE>index=myIndex source=mySource host=myHost sourcetype=mySourceType | stats count(eval(severity="0" OR severity="1" OR severity="2")) as Low count(eval(severity="3" OR severity="4" OR severity="5")) as Medium count(eval(severity="6" OR severity="7" OR severity="8")) as High count(eval(severity="9" OR severity="10")) as Critical | table Low Medium High Critical | transpose | rename column as Severity "row 1" as Count </CODE></PRE> <P>I have attached a screenshot and instead of the values on the right-hand side being 1 - 10, I'd like them to be Low, Medium etc...</P> <P>Thanks in advance</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7182i2E29A8B8D7EE4E5F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Sun, 09 Jun 2019 02:21:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Create-TimeSpan-Line-Chart-After-Eval-ing/m-p/416201#M27360 migquinn 2019-06-09T02:21:27Z https://community.splunk.com/t5/Dashboards-Visualizations/Create-TimeSpan-Line-Chart-After-Eval-ing/m-p/416202#M27361 <P>Try this untested query:</P> <PRE><CODE>index=myIndex source=mySource host=myHost sourcetype=mySourceType | eval Severity=case(severity="0" OR severity="1" OR severity="2"), "Low", (severity="3" OR severity="4" OR severity="5"), "Medium", (severity="6" OR severity="7" OR severity="8"), "High", (severity="9" OR severity="10"), "Critical") | timechart count as Count by Severity </CODE></PRE> Sun, 09 Jun 2019 17:33:57 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Create-TimeSpan-Line-Chart-After-Eval-ing/m-p/416202#M27361 richgalloway 2019-06-09T17:33:57Z https://community.splunk.com/t5/Dashboards-Visualizations/Create-TimeSpan-Line-Chart-After-Eval-ing/m-p/416203#M27362 <P>Thanks for the input. It didn't work when I tried it but I took your command, switched it up a little and positioned it further up the query and it worked:</P> <P>index=myIndex source=mySource host=myHost sourcetype=mySourceType | timechart count(eval(severity="0" OR severity="1" OR severity="2")) as Low count(eval(severity="3" OR severity="4" OR severity="5")) as Medium count(eval(severity="6" OR severity="7" OR severity="8")) as High count(eval(severity="9" OR severity="10")) as Critical</P> <P>Again, thanks for your help on this!</P> Wed, 12 Jun 2019 23:31:06 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Create-TimeSpan-Line-Chart-After-Eval-ing/m-p/416203#M27362 migquinn 2019-06-12T23:31:06Z https://community.splunk.com/t5/Dashboards-Visualizations/Create-TimeSpan-Line-Chart-After-Eval-ing/m-p/416204#M27363 <P>@migquinn If your problem is resolved, please accept the answer to help future readers.</P> Sat, 15 Jun 2019 11:10:51 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Create-TimeSpan-Line-Chart-After-Eval-ing/m-p/416204#M27363 richgalloway 2019-06-15T11:10:51Z