https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-get-a-bar-chart-to-display-a-stats-count-of-each/m-p/166960#M47518 <P>Can you post the two searches and the results they get you? I've written a nearly identical search to yours and it works perfectly.</P> <P>Or possibly I'm misunderstanding something. What is the universe of the possible values for <CODE>violations</CODE>? By using that at the end of your <CODE>stats</CODE> clause, that's what you're splitting your results over.</P> Mon, 20 Oct 2014 15:23:12 GMT aweitzman 2014-10-20T15:23:12Z https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-get-a-bar-chart-to-display-a-stats-count-of-each/m-p/166957#M47515 <P>index="bigip-asm" web_application_name=HTTPCLASS_PROD_SOAENTRYPOINT_EXTERNAL_LIVE request_status=alerted OR blocked | stats count(eval(request_status="blocked")) as blocked count(eval(request_status="alerted")) as alerted by violations</P> Mon, 28 Sep 2020 17:54:51 GMT https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-get-a-bar-chart-to-display-a-stats-count-of-each/m-p/166957#M47515 james_westwood 2020-09-28T17:54:51Z https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-get-a-bar-chart-to-display-a-stats-count-of-each/m-p/166958#M47516 <P>I think you want to replace</P> <PRE><CODE>request_status=alerted OR blocked </CODE></PRE> <P>with</P> <PRE><CODE>request_status=alerted OR request_status=blocked </CODE></PRE> Mon, 20 Oct 2014 14:49:03 GMT https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-get-a-bar-chart-to-display-a-stats-count-of-each/m-p/166958#M47516 aweitzman 2014-10-20T14:49:03Z https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-get-a-bar-chart-to-display-a-stats-count-of-each/m-p/166959#M47517 <P>i have tried this but it always seem to just populate one value (Blocked or Alerted) and leaves the other one "0"</P> Mon, 20 Oct 2014 15:12:32 GMT https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-get-a-bar-chart-to-display-a-stats-count-of-each/m-p/166959#M47517 james_westwood 2014-10-20T15:12:32Z https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-get-a-bar-chart-to-display-a-stats-count-of-each/m-p/166960#M47518 <P>Can you post the two searches and the results they get you? I've written a nearly identical search to yours and it works perfectly.</P> <P>Or possibly I'm misunderstanding something. What is the universe of the possible values for <CODE>violations</CODE>? By using that at the end of your <CODE>stats</CODE> clause, that's what you're splitting your results over.</P> Mon, 20 Oct 2014 15:23:12 GMT https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-get-a-bar-chart-to-display-a-stats-count-of-each/m-p/166960#M47518 aweitzman 2014-10-20T15:23:12Z https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-get-a-bar-chart-to-display-a-stats-count-of-each/m-p/166961#M47519 <P>all i'm trying to see is the results for both alerted and blocked split by each violation but every time i run this search it seems to on populate either one or the other. so ill get it split by the violation type but if there is results in the alerted then blocked will say zero and vice versa.</P> Tue, 21 Oct 2014 08:51:02 GMT https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-get-a-bar-chart-to-display-a-stats-count-of-each/m-p/166961#M47519 james_westwood 2014-10-21T08:51:02Z