topic Re: How do I create a bar chart that shows the count of an event type? in Splunk Search

How do I create a bar chart that shows the count of an event type?

coronelfoca — Mon, 16 Jan 2017 18:36:12 GMT

I'm new to Splunk, trying to understand how these codes work out

Basically i have 2 kinds of events, that comes in txt log files.
type A has "id="39" = 00" and type B has something else other than 00 into this same field..

How can I create a bar chart that shows, day-to-day, how many A's and B's do I have?

I searched a lot of examples and the best I could get was a Type A (badly formed)

 index=demo_bs 
     | bucket _time span=24h 
     | stats sum(eval(if((date_hour>=23) OR (date_hour<11),1,0))) as TimeWindowCount by _time 
     | appendcols 
       [search index=demo_bs "<field id="39" value="00"/>" 
        | stats count as Aprovadas] 
     | eventstats max(Aprovadas) as Aprovadas 
     | rename TimeWindowCount as "Historical Count During Window" 
     | rename Aprovadas as "Aproved Transactions"

Re: How do I create a bar chart that shows the count of an event type?

MuS — Mon, 16 Jan 2017 19:22:38 GMT

Hi coronetfoca,

I hope I got your question right, but this should give you a point to start:

| gentimes start=-1 
| eval foo="\"id=\"39\" = 00\", \"id=\"39\" = 01\"", _time=now() 
| rex max_match=0 field=foo "\"id=\"39\"\s=\s(?<myFoo>[^\"]+)\"" 
| mvexpand myFoo 
| eval approved=if(myFoo="00",1,null()), not-approved=if(myFoo>"00",1,null()) 
| chart count(approved) AS approved count(not-approved) AS not-approved by _time

This will give you an example and the important lines are the two last ones, lines 1-4 are only used to produce fake events.

So what happens here:

| gentimes start=-1

will create a dummy event

| eval foo="\"id=\"39\" = 00\", \"id=\"39\" = 01\"", _time=now()

evals foo and _time

| rex max_match=0 field=foo "\"id=\"39\"\s=\s(?<myFoo>[^\"]+)\""

using regex we get the value you need into a field called myFoo

| mvexpand myFoo

expands the multivalue field into single value field

| eval approved=if(myFoo="00",1,null()), not-approved=if(myFoo>"00",1,null())

checking if the value of myFoo matches an approved or a not-approved

| chart count(approved) AS approved count(not-approved) AS not-approved by _time

charting it by time

Just adapt it to your needs with the historical counts.

Hope this helps ...

cheers, MuS

Re: How do I create a bar chart that shows the count of an event type?

hunters_splunk — Mon, 16 Jan 2017 19:31:50 GMT

Hi coronelfoca,

When your log was indexed, the id and value fields should have been extracted. If not, extract these two fields from your events.
Then you can use the eval command to classify event types using id and value as criteria. The following example assumes all your events are either TypeA or TypeB:

index=demo_bs | timechart span=1d count(eval(id="39" AND value="00")) as TypeA, count as All | eval TypeB = All - TypeA | fields - All

Then, use visualization to view the data in a bar chart.
Hope this helps. Thanks!
Hunter

Re: How do I create a bar chart that shows the count of an event type?

somesoni2 — Mon, 16 Jan 2017 19:36:34 GMT

Not sure what the TimeWindowCount field is doing in your query (considering you want to show count of type A and type b only), but I'will keep that field in the result. Try like this (change the field name typeA and typeB per your need, in all places)

index=demo_bs 
| eval typeA=if(searchmatch("<field id="39" value="00"/>"),1,0)
| eval typeB=abs(1-typeA)
| eval TimeWindow=if((date_hour>=23) OR (date_hour<11),1,0)
| timechart span=1d sum(typeA) as "Aproved Transactions" sum(typeB) as "NameOfTypeB Here" sum(TimeWindow) as "Historical Count During Window"

Re: How do I create a bar chart that shows the count of an event type?

aaraneta_splunk — Mon, 23 Jan 2017 01:24:55 GMT

@coronelfoca - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!