topic Re: How do you chart two unrelated numbers? in Splunk Search

How do you chart two unrelated numbers?

tmaurst — Tue, 12 Feb 2019 23:13:23 GMT

I am completely stumped as to how to chart two numbers.

I have two counts from two searches. I simply want to chart them side by side.

sourcetype=mySource AND first string I'm looking for | stats count as firstCount | appendcols [search sourcetype=mySource AND second string I'm looking for | stats count as secondCount] | chart <how to chart firstCount and secondCount on bar graph?>

The counts are fine and are returning the expected values. I just can't figure out how to chart them together. For instance, if I have the numbers 5 and 10, how can those show up on a simple numbered x-axis together in bar graph form?

Thanks

Re: How do you chart two unrelated numbers?

richgalloway — Tue, 12 Feb 2019 23:36:54 GMT

You don't need two searches. Put both conditions into the base search then use an eval to create a field that distinguishes each. Use that field in the chart command to show the counts. Depending on your data, there may be other ways to do the eval (a unique field in each, for instance).

sourcetype=mySource ("first string I'm looking for" OR "second string I'm looking for") 
| eval split=if(match(_raw, ".*first string I'm looking for.*"), "first", "second") | chart count by split

Re: How do you chart two unrelated numbers?

woodcock — Tue, 12 Feb 2019 23:38:24 GMT

Like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=mySource AND ("first string" OR "second string")
| stats count(eval(searchmatch("first string"))) AS firstCount count(eval(searchmatch("seconds string"))) AS secondCount

The rest is a matter of picking the right visualization and configuration options for it.

Re: How do you chart two unrelated numbers?

tmaurst — Wed, 13 Feb 2019 17:26:01 GMT

Thanks. Why should we always use an index? I'm guessing performance related but can you be more specific as to why?

Re: How do you chart two unrelated numbers?

tmaurst — Wed, 13 Feb 2019 17:28:05 GMT

This works, thank you. For a bonus... when one of the counts is 0, it will not have a bar on the graph. Is there a way to force a placement for this, such that the 0 value is conveyed? Otherwise it's not apparent that two values are being compared.

Re: How do you chart two unrelated numbers?

woodcock — Wed, 13 Feb 2019 17:34:26 GMT

When you are not referencing an index in your search, you are relying on the Indexes searched by default setting that your admins control so this setting can be changed at any time without notice and varies from role-to-role. This means that your search could behave very differently from user to user at the same time or for the same user across time. This is absurdly risky and negligent on your part.

Re: How do you chart two unrelated numbers?

woodcock — Wed, 13 Feb 2019 17:36:06 GMT

Be sure to spread around the UpVotes to helpful answers and comments and click Accept to close your question.

Re: How do you chart two unrelated numbers?

tmaurst — Wed, 13 Feb 2019 18:01:26 GMT

Makes sense.

Re: How do you chart two unrelated numbers?

woodcock — Wed, 13 Feb 2019 18:19:11 GMT

Ask a new question.