https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Visualization-is-not-giving-below-results/m-p/684506#M56035 <P>Hello Splunkers!!</P> <P>I want to achieve below screenshot visualization.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uagraw01_0-1713357668754.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30446iEF7F7B5D21C20B39/image-size/medium?v=v2&amp;px=400" role="button" title="uagraw01_0-1713357668754.png" alt="uagraw01_0-1713357668754.png" /></span></P> <P>&nbsp;</P> <P>Below is my current query :</P> <P>======================================================</P> <LI-CODE lang="markup">index=ABC sourcetype=ReplenishmentOrderAssign OR sourcetype=ReplenishmentOrderCompleted OR sourcetype=ReplenishmentOrderStarted OR sourcetype=ReplenishmentOrderCancel | rex field=_raw "SenderFmInstanceName\&gt;(?P&lt;Workstation&gt;[A-Za-z0-9]+\/[A-Za-z0-9]+)\&lt;\/SenderFmInstanceName" | rename ReplenishmentOrderAssign.OrderId as OrderId | eval TimeAssigned=if(like(sourcetype,"%Assign"),_time,null) , TimeStarted=if(like(sourcetype,"%Started"),_time,null), TimeCompleted=if(like(sourcetype,"%Completed"),_time,null) | eventstats count(OrderId) as CountOrderTypes by OrderId | timechart span=5m count(TimeAssigned) as Assigned count(TimeStarted) as Started count(TimeCompleted) as Completed by Workstation | streamstats sum(*) | foreach "sum(Assigned:*)" [| eval &lt;&lt;MATCHSEG1&gt;&gt;Assigned='&lt;&lt;FIELD&gt;&gt;'-'sum(Completed:&lt;&lt;MATCHSEG1&gt;&gt;)'] | foreach "sum(Started:*)" [| eval &lt;&lt;MATCHSEG1&gt;&gt;Started='&lt;&lt;FIELD&gt;&gt;'-'sum(Completed:&lt;&lt;MATCHSEG1&gt;&gt;)'] | fields _time DEP* | foreach "DEP/*" [| eval &lt;&lt;MATCHSEG1&gt;&gt;=if('&lt;&lt;FIELD&gt;&gt;'&gt;0,1,0)] | fields - DEP/* | foreach "*Assigned" [| eval &lt;&lt;FIELD&gt;&gt;='&lt;&lt;FIELD&gt;&gt;'-'&lt;&lt;MATCHSEG1&gt;&gt;Started'] | foreach "*Assigned" [| eval &lt;&lt;MATCHSEG1&gt;&gt;Idle=1-'&lt;&lt;FIELD&gt;&gt;'-'&lt;&lt;MATCHSEG1&gt;&gt;Started'] | addtotals *Started fieldname=Active | addtotals *Assigned fieldname=Assigned | addtotals *Idle fieldname=Idle | fields _time Idle Assigned Active | bin span=$span$ _time | eventstats sum(*) as * by _time | dedup _time</LI-CODE> <P>Current query is giving me below visualization. Please help me where I need to change in the query to get the above visualization?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uagraw01_0-1713357527227.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30445i61DF8AE3A1DC1ABD/image-size/medium?v=v2&amp;px=400" role="button" title="uagraw01_0-1713357527227.png" alt="uagraw01_0-1713357527227.png" /></span></P> <P>&nbsp;</P> Wed, 17 Apr 2024 15:40:24 GMT uagraw01 2024-04-17T15:40:24Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Visualization-is-not-giving-below-results/m-p/684506#M56035 <P>Hello Splunkers!!</P> <P>I want to achieve below screenshot visualization.&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uagraw01_0-1713357668754.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30446iEF7F7B5D21C20B39/image-size/medium?v=v2&amp;px=400" role="button" title="uagraw01_0-1713357668754.png" alt="uagraw01_0-1713357668754.png" /></span></P> <P>&nbsp;</P> <P>Below is my current query :</P> <P>======================================================</P> <LI-CODE lang="markup">index=ABC sourcetype=ReplenishmentOrderAssign OR sourcetype=ReplenishmentOrderCompleted OR sourcetype=ReplenishmentOrderStarted OR sourcetype=ReplenishmentOrderCancel | rex field=_raw "SenderFmInstanceName\&gt;(?P&lt;Workstation&gt;[A-Za-z0-9]+\/[A-Za-z0-9]+)\&lt;\/SenderFmInstanceName" | rename ReplenishmentOrderAssign.OrderId as OrderId | eval TimeAssigned=if(like(sourcetype,"%Assign"),_time,null) , TimeStarted=if(like(sourcetype,"%Started"),_time,null), TimeCompleted=if(like(sourcetype,"%Completed"),_time,null) | eventstats count(OrderId) as CountOrderTypes by OrderId | timechart span=5m count(TimeAssigned) as Assigned count(TimeStarted) as Started count(TimeCompleted) as Completed by Workstation | streamstats sum(*) | foreach "sum(Assigned:*)" [| eval &lt;&lt;MATCHSEG1&gt;&gt;Assigned='&lt;&lt;FIELD&gt;&gt;'-'sum(Completed:&lt;&lt;MATCHSEG1&gt;&gt;)'] | foreach "sum(Started:*)" [| eval &lt;&lt;MATCHSEG1&gt;&gt;Started='&lt;&lt;FIELD&gt;&gt;'-'sum(Completed:&lt;&lt;MATCHSEG1&gt;&gt;)'] | fields _time DEP* | foreach "DEP/*" [| eval &lt;&lt;MATCHSEG1&gt;&gt;=if('&lt;&lt;FIELD&gt;&gt;'&gt;0,1,0)] | fields - DEP/* | foreach "*Assigned" [| eval &lt;&lt;FIELD&gt;&gt;='&lt;&lt;FIELD&gt;&gt;'-'&lt;&lt;MATCHSEG1&gt;&gt;Started'] | foreach "*Assigned" [| eval &lt;&lt;MATCHSEG1&gt;&gt;Idle=1-'&lt;&lt;FIELD&gt;&gt;'-'&lt;&lt;MATCHSEG1&gt;&gt;Started'] | addtotals *Started fieldname=Active | addtotals *Assigned fieldname=Assigned | addtotals *Idle fieldname=Idle | fields _time Idle Assigned Active | bin span=$span$ _time | eventstats sum(*) as * by _time | dedup _time</LI-CODE> <P>Current query is giving me below visualization. Please help me where I need to change in the query to get the above visualization?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="uagraw01_0-1713357527227.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/30445i61DF8AE3A1DC1ABD/image-size/medium?v=v2&amp;px=400" role="button" title="uagraw01_0-1713357527227.png" alt="uagraw01_0-1713357527227.png" /></span></P> <P>&nbsp;</P> Wed, 17 Apr 2024 15:40:24 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Visualization-is-not-giving-below-results/m-p/684506#M56035 uagraw01 2024-04-17T15:40:24Z https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Visualization-is-not-giving-below-results/m-p/684543#M56038 <P>Is there anybody who can help me here ?</P> Wed, 17 Apr 2024 17:43:27 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-Visualization-is-not-giving-below-results/m-p/684543#M56038 uagraw01 2024-04-17T17:43:27Z