https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163742#M46512 <P>This just gives me a chart telling me if a user has ever succeeded or failed VS succeeded and failed; the values are all either one or two. It doesn't split results over success and failure, and it doesn't give out the number of successes and failures.</P> Wed, 24 Jun 2015 17:34:48 GMT ksextonmacb 2015-06-24T17:34:48Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163738#M46508 <P>I have a search that makes a stacked bar chart:</P> <PRE><CODE>tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | chart count by user, myVar </CODE></PRE> <P>This search plots number of authentications per user, with each authentication attempt being split between success and failure as the colors in the stacked bar chart.</P> <P>However, I have a lot of users. I want to limit the number of users this bar chart displays to some number of more active users and lump the rest in other, but documentation I've read on the matter doesn't seem to work when applied. The <CODE>bins</CODE> command fails outright, the <CODE>limit</CODE> command applies to myVar instead of user no matter where I put it, and the <CODE>top</CODE> command overwrites my <CODE>chart</CODE> command.</P> <P>I also tried using a pivot, but it seems I can't compare two tags against each other without getting other tags involved.</P> <P>I've also tried using a where clause, but that too is applied to myVar. I think this simply isn't possible.</P> <P>I want the graph pictures below, but with only the bars with the highest count displayed.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/402iF02EB6DFD54D36AA/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Does anyone know how I could do what I want?</P> Mon, 22 Jun 2015 19:10:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163738#M46508 ksextonmacb 2015-06-22T19:10:59Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163739#M46509 <P>1) To get the tag count per user<BR /> tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | stats dc(myVar) as tagCount by user</P> <P>2) To display in sort order (descending) by tagCount<BR /> tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | stats dc(myVar) as tagCount by user | sort -eventCount</P> <P>3) To display top 10 users (From above search)<BR /> tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | stats dc(myVar) as tagCount by user | sort -eventCount | head 10</P> Wed, 24 Jun 2015 16:38:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163739#M46509 vinitatsky 2015-06-24T16:38:34Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163740#M46510 <P>Hi ksextonmacb <BR /> Try this search code </P> <PRE><CODE>tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | chart count by myVar , user limit=8 useother="f" usenull="f" </CODE></PRE> Wed, 24 Jun 2015 16:53:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163740#M46510 chimell 2015-06-24T16:53:01Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163741#M46511 <P>This gets me two bars, one for success and one for failure, with the color of each stacked bar corresponding to user. I'm after a bar for each desired user, with the color of each stacked bar corresponding to the value of myVar.</P> <P>I do think this answer is as close as I'm going to get to what I want, though.</P> Wed, 24 Jun 2015 17:03:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163741#M46511 ksextonmacb 2015-06-24T17:03:30Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163742#M46512 <P>This just gives me a chart telling me if a user has ever succeeded or failed VS succeeded and failed; the values are all either one or two. It doesn't split results over success and failure, and it doesn't give out the number of successes and failures.</P> Wed, 24 Jun 2015 17:34:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163742#M46512 ksextonmacb 2015-06-24T17:34:48Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163743#M46513 <P>try like :</P> <PRE><CODE>tag=authentication user!=NULL | chart count(eval(tag="success")) as "count tag succes", count(eval(tag!="success")) as "count tag faillures" by user limit=8 useother="f" usenull="f" </CODE></PRE> Wed, 24 Jun 2015 18:33:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163743#M46513 fdi01 2015-06-24T18:33:12Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163744#M46514 <P>The limit is still not being applied to users. This search produces the same graph as in the image with the names of the colors changed.</P> Wed, 24 Jun 2015 18:39:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163744#M46514 ksextonmacb 2015-06-24T18:39:08Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163745#M46515 <P>the following link will be help<BR /> <A href="http://answers.splunk.com/answers/73745/max-data-points-that-charts-can-handle.html">http://answers.splunk.com/answers/73745/max-data-points-that-charts-can-handle.html</A></P> Thu, 25 Jun 2015 13:22:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163745#M46515 chimell 2015-06-25T13:22:50Z https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163746#M46516 <P>This search does the thing that I want. Just change 10 to however many bars you want.</P> <PRE><CODE>tag=authentication user!=NULL AND (tag=success OR tag=failure) | eval myVar=if(tag=="success","success","failure") | chart count as Count by user, myVar | addtotals fieldname=total | sort -total | fields user failure success | head 10 </CODE></PRE> <P>It looks like the "fields" in my chart become user, success, failure, and a few others instead of the fields in my search. This was what caused me problems.</P> <P>If anyone knows how to get an "other" bar involved in all of this that'd be swell, but this is good enough.</P> Mon, 29 Jun 2015 16:16:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-limit-the-number-of-bars-in-a-Bar-Chart-made-with-Search/m-p/163746#M46516 ksextonmacb 2015-06-29T16:16:01Z