topic Can I split a field based on its values and graph as multi-series? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Can-I-split-a-field-based-on-its-values-and-graph-as-multi/m-p/188573#M54320 <P>I have a single numeric field that I want to timechart in ranges...i.e. rangemap the field into custom buckets, then timechart with a count by range. Because if the nature of the data, there are WAY more instances of "0" than any other value, making it difficult to interpret the non-zero values. I'd like to treat the 0 values as a different field, then create a timechart that has a count of the 0 values on one Y-axis and a stacked column of the other range values on a second Y-axis. Is such a thing possible? My simple search thus far looks like...</P> <P>search RF-DELTA| rangemap field=RF-DELTA 0=0-0, 1-10=1-10, 11-20=11-20, 21-30=21-30, 31-40=31-40, 41-50=41-50, default=&gt;50 | timechart span=1d count by range</P> <P>I guess I need to understand whether I can split out the 0 values as a separate field AND if I can create a multi-axis timechart. Thanks in advance!</P> Wed, 04 Jun 2014 17:24:55 GMT jheney 2014-06-04T17:24:55Z Can I split a field based on its values and graph as multi-series? https://community.splunk.com/t5/Splunk-Search/Can-I-split-a-field-based-on-its-values-and-graph-as-multi/m-p/188573#M54320 <P>I have a single numeric field that I want to timechart in ranges...i.e. rangemap the field into custom buckets, then timechart with a count by range. Because if the nature of the data, there are WAY more instances of "0" than any other value, making it difficult to interpret the non-zero values. I'd like to treat the 0 values as a different field, then create a timechart that has a count of the 0 values on one Y-axis and a stacked column of the other range values on a second Y-axis. Is such a thing possible? My simple search thus far looks like...</P> <P>search RF-DELTA| rangemap field=RF-DELTA 0=0-0, 1-10=1-10, 11-20=11-20, 21-30=21-30, 31-40=31-40, 41-50=41-50, default=&gt;50 | timechart span=1d count by range</P> <P>I guess I need to understand whether I can split out the 0 values as a separate field AND if I can create a multi-axis timechart. Thanks in advance!</P> Wed, 04 Jun 2014 17:24:55 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-split-a-field-based-on-its-values-and-graph-as-multi/m-p/188573#M54320 jheney 2014-06-04T17:24:55Z Re: Can I split a field based on its values and graph as multi-series? https://community.splunk.com/t5/Splunk-Search/Can-I-split-a-field-based-on-its-values-and-graph-as-multi/m-p/188574#M54321 <P>You can do the multi-axis timechart since Splunk 6.1.</P> <P>As for splitting the fields, no real need to do that. If you do a <CODE>count by range</CODE> you can specify the <CODE>0</CODE> field to be charted on a second Y-axis as a line on top of your column chart.</P> Wed, 04 Jun 2014 20:45:33 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-split-a-field-based-on-its-values-and-graph-as-multi/m-p/188574#M54321 martin_mueller 2014-06-04T20:45:33Z