topic Re: How to display charts based on condition by some field in Splunk Search

How to display charts based on condition by some field

avni26 — Thu, 06 Feb 2020 08:00:11 GMT

Hi ,
I want to display two charts , one column and line chart in single panel based on condition.
For example, if result=found then column chart based on user for all months and when result="not found" then line chart based on user
My data is like,
Users result Jan Feb Mar Apr May Jun July .. Dec
ABC found 100 102 103 102 100 105 200... 70
ABC Not-Found 20 50 22 30 60 22 43 .... 10
XYZ found 120 80 70 ..........................................
XYZ Not-Found 24 30 15 .........................................

Now, want to display coulmn chart when result=found ,x-axis (Months) and in Y-axis (months Value) by Users and
in same panel want to show line chart when result=not found , ,x-axis (Months) and in Y-axis (months Value) by Users

Please suggest.

Re: How to display charts based on condition by some field

13tsavage — Thu, 06 Feb 2020 17:06:36 GMT

You do not want to chart individual users correct? Because that could be a MASSIVELY long chart if you have hundreds of users.

You just want a TOTAL COUNT of users found and not found?

Re: How to display charts based on condition by some field

somesoni2 — Thu, 06 Feb 2020 22:22:43 GMT

You could use post process searches in your dashboard and feed 2 post process searches to each of the visualization.

Base search:

Your base search giving fields Users result Jan Feb...
| eval temp=Users."##".result | fields - Users result
| untable temp month valueForMonth
| rex field=temp "(?<Users>.+)##(?<result>.+)" | fields - temp
| stats sum(valueForMonth) as valueForMonth by month result

Post process 1 - for column chart

| where result="found" | table month valueForMonth

Post process 2 - for line chart

| where result="No-found" | table month valueForMonth

For example on how to write post process searches for dashboard, refer to this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/Savedsearches#Examples_2 (first example is close to what you need)

Re: How to display charts based on condition by some field

to4kawa — Fri, 07 Feb 2020 00:34:47 GMT

| gentimes start=01/01/2019 
| rename starttime as _time 
| timechart span=1month count 
| eval time = strftime(_time ,"%b") 
| table time count 
| transpose 0 header_field=time column_name=Users 
| table Users Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 
| eval user=mvrange(0,4) 
| mvexpand user 
| foreach * [ eval <<FIELD>> = random() % 100 + 10]
| streamstats count 
| eval result=if(count % 2 = 1,"found","Not_Found") 
| eval Users=if(count <= 2,"ABC","XYZ") 
| table Users result Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
`comment("this is your sample. From here, the logic")`
| eval tmp=Users.":".result
| fields - Users result
| transpose 0 header_field=tmp column_name=month

Visualization >> Column Chart with overlay ABC:Not_Found and XYZ:Not_Found

Hi, folks. how about this?

Re: How to display charts based on condition by some field

avni26 — Fri, 07 Feb 2020 08:59:56 GMT

@to4kawa Thanks, it worked perfectly as per my requirement.

Re: How to display charts based on condition by some field

Taruchit — Fri, 18 Mar 2022 09:56:00 GMT

Hi All,

How can we apply if else condition to following chart command such that if the value in a cell is 0, the cell is empty else it displays the cell content.

| chart sum(field1) OVER field2 BY field3

The above command gives a tabular result with field2 values on Y axis, field3 values on X axis, and sum(field1) data in cells for each field2 and field3.

I want to keep the cells which evaluate to sum(field1)=0, but want to keep those cells empty.

Thank you