topic Re: How do I create a stacked bar chart sorted by host. in Splunk Search

How do I create a stacked bar chart sorted by host.

lakromani — Wed, 05 Aug 2015 07:57:30 GMT

I am still learning all the nice functionality in Splunk, but have some trouble with this.

Eks struktur:

Aug 05 09:27:33 palito dog

Here I got two interesting fields:

host=palito
info=dog

Sample data:

Aug 05 09:27 palito dog
Aug 05 09:28 habo cat
Aug 05 09:29 jago horse
Aug 05 09:30 palito cat
Aug 05 09:31 palito cat
Aug 05 09:32 habo cat
Aug 05 09:33 jago horse
Aug 05 09:34 palito horse
Aug 05 09:35 habo dog

From this I like to get the graph sorted on the info (animal) so I get top 5 animals using this:

 * | top limit=5 info

This give three column, cat=4, dog=2 and horse=3
So far I am full control of the situation.

But then I like to also see the representation of the hosts, so these data gives:

cat 4       palito 2    habo 2
dog 2       palito 1    habo 1
horse 3     palito 1    jago 2

I know how to select format-stacked, but not how to get 3 columns with 4 cat, where I color separate it with 2 palito, and 2 habo etc.
So It should be 3 columns with percent host showing in each of them.

I tried, but not working

 * | top limit=5 info by host

Example on how the three column should look like:

 h
 h              j
 p      h       j
 p      p       p
 --------------------
 cat    dog     horse

Where p,h, and j are different colors.

Re: How do I create a stacked bar chart sorted by host.

shrirangphadke — Wed, 05 Aug 2015 10:09:25 GMT

Hi,

Try this:

 |  timechart count by host limit=10

If you are on search page:
1. Goto Visualization and select bar chart
2. Select format button
3. Select stack mode as: Stacked

Re: How do I create a stacked bar chart sorted by host.

lakromani — Wed, 05 Aug 2015 10:20:22 GMT

This does not help.
It only shows hits over time for each host. I am not interested in time.
I need to see number of each type of animals (info) and each column should show stacked hosts.

Re: How do I create a stacked bar chart sorted by host.

somesoni2 — Wed, 05 Aug 2015 19:33:59 GMT

Try something like this

* | chart count over info by host  | addtotals fieldname="Total" | table info Total * | sort - Total | head 5

This should give you a nice table with info (animal name) as first column, Total (total count) and count by host (as separate columns). Just select stacked option in the visualization and you're set.

Re: How do I create a stacked bar chart sorted by host.

lakromani — Thu, 06 Aug 2015 06:38:25 GMT

Thank you, this is relay close to what I need.
To not add Total to every column I removed it, so it looks like this:

 * | chart count over info by host  | addtotals fieldname="Total" | table info Total * | sort - Total | head 5 | field - Total

But I have a problem with addtotals. It sums up all the fields, that is OK, but if the field name is a number, It add the number of the field name to the Total. For me that seems to be a bug. Is three a way around it?

This is what I like to get:

info\host   palito  habo    jago    Total   
-----------------------------------------
cat         2       2               4
dog         1       1               2
82          1               2       3

This is what Splunk gives, look at Total for the 82

info\host   palito  habo    jago    Total   
-----------------------------------------
cat         2       2               4
dog         1       1               2
82          1               2       85