https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-number-of-occurrences-including-its-respective/m-p/596222#M207552 <LI-CODE lang="markup">| stats count values(alert_threshold) as alert_threshold by eventtype </LI-CODE> Tue, 03 May 2022 08:13:09 GMT ITWhisperer 2022-05-03T08:13:09Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-number-of-occurrences-including-its-respective/m-p/596184#M207537 <P>Hi everybody,</P> <P>I have the following problem and cannot seem to be able to wrap my head around it:</P> <OL> <LI>I have a bunch of eventtypes (close to 1000).</LI> <LI>Some of those eventtypes have certain thresholds which are greater than zero. I look the values up from a csv</LI> <LI>For a single host, I'd like to<BR /> <OL> <LI>Chart the number of occurrances for an eventtype IF <OL> <LI>That number of occurrances is higher than the aforementioned threshold</LI> <LI>The chart shall also contain a static line depicting the threshold value</LI> </OL> </LI> </OL> </LI> </OL> <P>Here is what I have so far. I believe I am always getting lost when using an aggregate function such as count() because added something to the result using eval just wont work.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index="my_index" eventtype=* host="$HOST_FROM_DROPDOWN$" | lookup my-events eventtype | eventstats count by eventtype | where alert_threshold &gt; 0 AND count &gt; alert_threshold | stats count by eventtype | eval Threshold = alert_threshold</LI-CODE> <P>&nbsp;</P> <P>&nbsp;What I do understand is that I have to add the "Threshold" variable in the overlay Options of the chart.</P> <P>Any help is much appreciated. Thank you</P> Tue, 03 May 2022 15:59:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-number-of-occurrences-including-its-respective/m-p/596184#M207537 zapping575 2022-05-03T15:59:44Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-number-of-occurrences-including-its-respective/m-p/596222#M207552 <LI-CODE lang="markup">| stats count values(alert_threshold) as alert_threshold by eventtype </LI-CODE> Tue, 03 May 2022 08:13:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-number-of-occurrences-including-its-respective/m-p/596222#M207552 ITWhisperer 2022-05-03T08:13:09Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-number-of-occurrences-including-its-respective/m-p/596233#M207559 <P>Thank you very much. I got it working as expected like this:</P><LI-CODE lang="markup">index="my_index" eventtype=* host="dropdown_value..." | lookup my_lookup eventtype | stats count values(alert_threshold) as alert_threshold by eventtype | where alert_threshold &gt; 0 AND count &gt; alert_threshold | sort count desc</LI-CODE><P>&nbsp;</P><P>Now the only thing left is that the threshold value is drawn as a dot in the chart. I'd like it to be a line going across the entire bar. Is that possible?</P> Tue, 03 May 2022 09:56:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-number-of-occurrences-including-its-respective/m-p/596233#M207559 zapping575 2022-05-03T09:56:42Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-number-of-occurrences-including-its-respective/m-p/596236#M207560 <P>You will get a dot if there is only 1 point on the line e.g. only one event type breaches the threshold</P> Tue, 03 May 2022 10:14:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-number-of-occurrences-including-its-respective/m-p/596236#M207560 ITWhisperer 2022-05-03T10:14:34Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-number-of-occurrences-including-its-respective/m-p/596265#M207569 <P>Acknowledged. thanks</P> Tue, 03 May 2022 14:23:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-number-of-occurrences-including-its-respective/m-p/596265#M207569 zapping575 2022-05-03T14:23:00Z