topic Re: How to convert from timechart to column chart with totals? in Dashboards & Visualizations

How to convert from timechart to column chart with totals?

mcram52 — Thu, 13 Jun 2019 16:32:34 GMT

I'm new to Splunk (and programming languages in general) but my company has many existing dashboards, so I'm trying to take pieces of existing dashboards and tweak them for my purposes. I have the following search from an existing chart:

(index=epackage OR index=dxprd01-epackage) flow_event=Package*
| eval 
    You = if(username="$env:user$",numberOfReports,0),
    Others = if(username="$env:user$",0,numberOfReports),
    Other_users = if(username="$env:user$",null(),username),
    Day = strftime(_time,"%F")
| eventstats dc(Other_users) as Other_users by Day
| timechart span=1d sum(You) as You sum(Others) as Others values(Other_users) as Other_users
| eval Others_avg = round(Others/Other_users,0)
| fields - Others, Other_users

This displays the total of one user's flow event per day compared with the average of the other users for that day. What changes need to be made so I can have the same two columns (single user vs. others average), but showing only the totals over the given time period (such as month to date) rather than by day? Hopefully this makes sense.

Re: How to convert from timechart to column chart with totals?

somesoni2 — Thu, 13 Jun 2019 17:16:54 GMT

Try this (Updated)

(index=epackage OR index=dxprd01-epackage) flow_event=Package*
| eval 
You = if(username="$env:user$",numberOfReports,0),
Others = if(username="$env:user$",0,numberOfReports),
Other_users = if(username="$env:user$",null(),username),
Report="Total Flow Event Count"
|stats sum(You) as You sum(Others) as Others dc(Other_users) as Other_users by Report
| eval Others_avg = round(Others/Other_users,0)
| fields - Others, Other_users

Re: How to convert from timechart to column chart with totals?

mcram52 — Thu, 13 Jun 2019 17:23:33 GMT

No luck:

Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

Re: How to convert from timechart to column chart with totals?

somesoni2 — Thu, 13 Jun 2019 17:30:30 GMT

Try now, there was leftover comma in last eval (line 5).

Re: How to convert from timechart to column chart with totals?

mcram52 — Wed, 30 Sep 2020 00:54:38 GMT

That's getting closer to what I wanted but not quite. Everything is totaled as it should be, but the total for 'You' is now the entire x axis, with one column showing the 'Others_avg' total. Is there a way to have the 'You' and 'Other_avg' displayed as two separate columns?

Re: How to convert from timechart to column chart with totals?

somesoni2 — Thu, 13 Jun 2019 17:48:57 GMT

Try the new version.

Re: How to convert from timechart to column chart with totals?

mcram52 — Thu, 13 Jun 2019 17:58:52 GMT

Almost there! Thank you so much for working with me on this. There's two separate columns now but one is on top of the other (not stacked, but separated). Any way the columns can be placed side by side? It almost looks like the x and y axis need to be switched if that's possible.

Re: How to convert from timechart to column chart with totals?

mcram52 — Thu, 13 Jun 2019 19:04:32 GMT

Nevermind, figured it out. Thanks!