https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-stacked-bar-chart-with-my-data-set/m-p/207135#M60384 <P>Thanks for that. </P> <P>the search that i am doing is a simple one. I have created a field extraction to extract the 2nd column of that table. </P> <P>So when you actually do a top limit=5 it shows that there are two types for it . </P> <P>Would it work then? </P> <P>Thank you<BR /> Dan</P> Tue, 22 Dec 2015 18:38:27 GMT dantu 2015-12-22T18:38:27Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-stacked-bar-chart-with-my-data-set/m-p/207133#M60382 <P>Hi Guys, </P> <P>I have the following data set that i retrieve using a search : </P> <PRE><CODE>host calltype count pc4bwsoap03 odata/v2 4931 pc4bwsoap03 sfapi/v1 134 pc4bwsoap03 api/oauth 13 pc4bwsoap03 xi/ajax 9 pc4bwsoap03 api/cdp 9 pc4bwsoap04 sfapi/v1 642 pc4bwsoap04 odata/v2 449 pc4bwsoap04 api/oauth 28 pc4bwsoap04 xi/ajax 24 pc4bwsoap04 api/cdp 23 </CODE></PRE> <P>Now in this you see the reappearance across multiple hosts of something like odata/v2 , sfapi/v1 </P> <P>Now how do I generate a stacked graph for this so that one of the axis is the host and it has one bar which represents the 2nd column instead of multiple bars? </P> <P>Thank you<BR /> Dan</P> Tue, 22 Dec 2015 17:05:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-stacked-bar-chart-with-my-data-set/m-p/207133#M60382 dantu 2015-12-22T17:05:19Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-stacked-bar-chart-with-my-data-set/m-p/207134#M60383 <P>Not sure of you main search, but this might help you:</P> <PRE><CODE> &lt;your_search&gt; | contingency host calltype useother=f </CODE></PRE> <P>This will provide a table of the counts by host and calltype. You can then use a Stacked bar chart to visualize the data.</P> <P>There is an alternative to <CODE>contingency</CODE> in case you need to do a more advanced calculation. </P> <PRE><CODE>&lt;your_search&gt; | chart sum(counts) by host over calltype </CODE></PRE> <P>This should return the same table, to use in the graph.</P> Tue, 22 Dec 2015 17:11:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-stacked-bar-chart-with-my-data-set/m-p/207134#M60383 alacercogitatus 2015-12-22T17:11:38Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-stacked-bar-chart-with-my-data-set/m-p/207135#M60384 <P>Thanks for that. </P> <P>the search that i am doing is a simple one. I have created a field extraction to extract the 2nd column of that table. </P> <P>So when you actually do a top limit=5 it shows that there are two types for it . </P> <P>Would it work then? </P> <P>Thank you<BR /> Dan</P> Tue, 22 Dec 2015 18:38:27 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-stacked-bar-chart-with-my-data-set/m-p/207135#M60384 dantu 2015-12-22T18:38:27Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-stacked-bar-chart-with-my-data-set/m-p/207136#M60385 <P>What is your search to generate this data?</P> Tue, 22 Dec 2015 23:41:06 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-stacked-bar-chart-with-my-data-set/m-p/207136#M60385 woodcock 2015-12-22T23:41:06Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-stacked-bar-chart-with-my-data-set/m-p/207137#M60386 <P>Ah ok, so I think you are pulling that table as a single event. In that case:</P> <PRE><CODE>&lt;your_search_to_find_the_event&gt; | rex field=_raw "(?&lt;host&gt;[^\s]+)\s+(?&lt;calltype&gt;[^\s]+)\s+(?&lt;count&gt;\d+)(?:[\r\n]+)?" max_match=0 | &lt;contingency_or_chart_as above&gt; </CODE></PRE> Wed, 23 Dec 2015 01:57:14 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-stacked-bar-chart-with-my-data-set/m-p/207137#M60386 alacercogitatus 2015-12-23T01:57:14Z