Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create bar chart with time & total amount?

hkchew
New Member
‎05-23-2018 08:45 PM

Under event column, i have these two values:

field_01 field_02
20180524110001 7452
20180524100001 7405
20180524090001 7276

How do I turn them into a bar chart with x-axis = time(per hour) & y-axis= field_02?

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎05-24-2018 12:31 AM

If your _time field value corresponds to your fields_01, then you can do something like this

your current search which includes _time field_01 field_02
| timechart span=1h count by field_02

If its's not and you want to use field_01 value as time, then you can do something like this

your current search which includes _time field_01 field_02
| eval _time=strptime(field_01,"%Y%m%d%H%M%S")  | timechart span=1h count by field_02
0 Karma
Reply

hkchew
New Member
‎05-24-2018 12:51 AM

thanks for the quick response.
but the value of the field_02 is already the total count.
hence is it still possible to plot a bar chart with field_01 & field_02?

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-24-2018 02:48 AM

Then try to use last() instead of sum(), or use max()...

0 Karma
Reply

niketn
Legend
‎05-24-2018 12:44 AM

@hkchew, the values in your question i.e. field_o1 and field_02 are present in your raw events or are generated using Splunk search with some transforming command? The reason why I ask is if you have already used some statistical commands to generate the table, then there might be a possibility to format the results as needed up-front. If they are as they appear in the raw events then you can try the following:

<yourBaseSearch>
| eval _time=strptime(field_01,"%Y%m%d%H%M%S")
| timechart span=1h sum(field_02) as Total

Following is the run anywhere search based on sample data provided:

| makeresults 
| eval data="20180524110001 7452;20180524100001 7405;20180524090001 7276" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval field_01=mvindex(data,0), field_02=mvindex(data,1) 
| fields - data
| eval _time=strptime(field_01,"%Y%m%d%H%M%S")
| timechart span=1h sum(field_02) as Total

@somesoni2, I think sum(field_02) as Total aggregate should be used instead of count by field_02 as field_02 already has the count.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

hkchew
New Member
‎06-04-2018 08:59 PM

@niketnilay it works perfectly but the chart only shows the past records/figures.
how can i show the most recent records/figures on the chart?

0 Karma
Reply

niketn
Legend
‎05-24-2018 12:56 AM

@hkchew try sum(field_02) as per my comment above.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...