https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84392#M21524 <P>Thanks for the answer, however I must precise that the column header names are not field contents, they are manually named by me. So except if there is a way to xyseries on a list of values instead of the content of a field, I cannot use it.</P> <P>Or maybe I am missing something?</P> Tue, 09 Oct 2012 14:56:03 GMT guilhem 2012-10-09T14:56:03Z https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84390#M21522 <P>Hi everyone!<BR /> I'm a new splunk user, and I have a quesion about chart formatting.</P> <P>Here is the results of a search I've made:</P> <P>v column Header1 Column Header2 Column Header3 Column Header 4 Column Header 5 ...<BR /> X 100 91.2 85.7 81.0 76.2 ...<BR /> Y 120 110 100 90 75.3 ...<BR /> Z 121 120 98 40 36 ...<BR /> .<BR /> .<BR /> .</P> <P>EDIT: The column header names are results of a eval expressions, and not extracted from fields.</P> <P>I would like to chart the value so that I get this result below:</P> <P>[Whatever] X Y Z ...<BR /> columnHeader1 100 120 121<BR /> columnHeader2 91.2 110 120<BR /> columnHeader3 85.7 100 98 ...<BR /><BR /> . .<BR /> . .<BR /> . .</P> <P>So that I can use a pretty graph to draw each series X, Y, Z according to the x-axis, which will be the name of the column headers</P> <P>I've tried many things, I've tried to use the transpose, but it doesn't work weel because it gives me:</P> <P>Column Row 1 Row 2 Row 3 ...<BR /> v X Y Z<BR /> columnHeader1 100 120 121<BR /> columnHeader2 91.2 110 120<BR /> columnHeader3 85.7 100 98 ...<BR /><BR /> . .<BR /> . .<BR /> . .</P> <P>I saw that we can rename the column header, but I don't know the values of X, Y, Z beforehand, so I can't use rename, except if there is a way to rename by the value of a field, and then remove the first row, which I don't know how to do either.</P> <P>Any help would be much appreciated!</P> <HR /> <P>EDIT 2: Thanks for answering so fast, here is the search I am running (on another data set/ fields, I have just transposed it to the _internal index):</P> <P>index=_internal <BR /> | stats c(action) as count1 by source<BR /> | join type=outer [ search index=_internal action=touch | stats dc(component) as count2 by source]<BR /> | join type=outer [ search index=_internal action=cancel | stats dc(component) as progress1 by source]<BR /> | eval %_progress10%=round(progress1*100/count1,1)<BR /> | eval %_count2%=round(count2/count1,1)<BR /> | fillnull<BR /> | fields source %_progress10% %_count2%</P> <P>And the results I get (values aren't real values):</P> <PRE><CODE> source %_progress10% %_count2% </CODE></PRE> <P>1 license_usage.log 0.3 2.0<BR /> 2 metrics.log 0.4 0.9<BR /> 3 splunkd.log 0.5 0.4<BR /> 4 splunkd_access.log 0.6 0.7<BR /> 5 web_access.log 0.7 0.6<BR /> 6 web_service.log 1.9 0.1</P> <P>What I would like to do is to have this:</P> <P>[whatever] license_usage.log metrics.log .....<BR /> %progress10% 0.3 0.4<BR /> %_count2% 2.0 0.9</P> <P>Many thanks</P> Mon, 28 Sep 2020 12:35:26 GMT https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84390#M21522 guilhem 2020-09-28T12:35:26Z https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84391#M21523 <P>I would recommend the use of xyseries here. Try the following to see it in action:</P> <PRE><CODE>index=_internal | stats count by host sourcetype | xyseries host sourcetype count </CODE></PRE> <P>This will use the values for the host and sourcetype fields for your row and column headers, respectively. (The format is 'xyseries row_identifier column_identifier data_value') Try swapping host and sourcetype in the above example to see how the output changes. </P> <P>This should accomplish what you're looking for nicely.</P> Tue, 09 Oct 2012 14:35:21 GMT https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84391#M21523 emiller42 2012-10-09T14:35:21Z https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84392#M21524 <P>Thanks for the answer, however I must precise that the column header names are not field contents, they are manually named by me. So except if there is a way to xyseries on a list of values instead of the content of a field, I cannot use it.</P> <P>Or maybe I am missing something?</P> Tue, 09 Oct 2012 14:56:03 GMT https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84392#M21524 guilhem 2012-10-09T14:56:03Z https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84393#M21525 <P>Can you provide some example data and the search you're using to get your current results?</P> Tue, 09 Oct 2012 14:57:57 GMT https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84393#M21525 emiller42 2012-10-09T14:57:57Z https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84394#M21526 <P>I've added an example in the first post using _internal index.</P> Tue, 09 Oct 2012 15:57:02 GMT https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84394#M21526 guilhem 2012-10-09T15:57:02Z https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84395#M21527 <P>without changing what you've already provided, you could try <BR /> | untable source fields value | xyseries fields source value</P> <P>I'm not getting useful results with the _internal search you posted, so I can't really test thoroughly. however, it works with a simpler example:</P> <P>index=_internal | timechart count by sourcetype | untable _time series value | xyseries series _time value</P> <P>Build it pipe by pipe to see how it's behaving at each step.</P> Tue, 09 Oct 2012 16:08:23 GMT https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84395#M21527 emiller42 2012-10-09T16:08:23Z https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84396#M21528 <P>Thank you very much!</P> <P>Indeed it worked, but what I wasn't aware of is that the "fields" name is somewhat a keyword in the splunk language and you can use it as a global name for all your column header (not sure if I am clear, or if I have understood it correctly), the same happen for the "value" keyword.</P> <P>Using " | untable source fields value", I was able to put the results in the right format, so I can chart it after with ease.</P> Wed, 10 Oct 2012 07:20:48 GMT https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84396#M21528 guilhem 2012-10-10T07:20:48Z https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84397#M21529 <P>'Fields' and 'value' are arbitrary labels. Replace 'fields' and 'value' with 'peanut_butter' and 'jelly' in the example I gave and you will still get proper results. </P> <P>Glad this worked for you!</P> Wed, 10 Oct 2012 07:35:42 GMT https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84397#M21529 emiller42 2012-10-10T07:35:42Z https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84398#M21530 <P>That's what I was suspecting, so in fact it always work, I was just confused on how the untable command operate, but now I'm clear, as I saw it in action.</P> <P>Thanks!</P> Wed, 10 Oct 2012 08:31:33 GMT https://community.splunk.com/t5/Splunk-Search/Charting-over-column-header/m-p/84398#M21530 guilhem 2012-10-10T08:31:33Z