Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Bar chart visualization

Naa_Win
Path Finder
‎10-10-2023 06:51 PM

Hello,

I have a below values in lookup and trying to achieve below bar chart view. 
Country     old_limit        old_spend_limit      new_limit          new_spend_limit
   USA            84000             37000                       121000                   43000
  Canada     149000           103000                     214000                 128000

old_limit = PRE
new_limit = POST

 

Naa_Win_0-1696988676878.png

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-10-2023 08:56 PM

You can do it by creating a stacked bar and setting the limit to be the gap (limit-spend) and creating the rows needed for the 4 groups.

Here's an example, but I suspect there is a better way

| makeresults 
| eval _raw="Country,old_limit,old_spend_limit,new_limit,new_spend_limit
USA,84000,37000,121000,43000
Canada,149000,103000,214000,128000" 
| multikv forceheader=1 
| table Country old_limit old_spend_limit new_limit new_spend_limit
| foreach *_spend_limit [ eval "<<MATCHSEG1>>_gap"='<<MATCHSEG1>>_limit'-<<FIELD>>, type=if("<<MATCHSEG1>>"="old", "Pre", "Post"), MV=mvappend(mvzip(mvzip('<<MATCHSEG1>>_gap', '<<FIELD>>', ";"), type, ";"), MV) ]
| fields Country MV
| mvexpand MV
| rex field=MV "(?<gap>[^\;]*);(?<spend>[^\;]*);(?<type>.*)"
| eval Country=Country." ".type
| fields Country gap spend

This just creates a gap;spend field for each type (pre/post) and then expands the pair for each country.

 

View solution in original post

Reply
Solved! Jump to solution

Naa_Win
Path Finder
‎10-17-2023 08:58 AM

@bowesmana  Thank you !!!

I had modified the query and and achieved what I'm looking for.....

| foreach *_spend_limit
[ eval type=if(match("<<MATCHSEG1>>","old"), "Pre", "Post"), MV=mvappend(mvzip(mvzip('<<MATCHSEG1>>_limit', '<<FIELD>>', ";"), type, ";"), MV) ]
| fields market MV
| mvexpand MV
| rex field=MV "(?<limit>[^\;]*);(?<spend>[^\;]*);(?<type>.*)"
| eval market=market." ".type
| fields market limit spend

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-10-2023 08:56 PM

You can do it by creating a stacked bar and setting the limit to be the gap (limit-spend) and creating the rows needed for the 4 groups.

Here's an example, but I suspect there is a better way

| makeresults 
| eval _raw="Country,old_limit,old_spend_limit,new_limit,new_spend_limit
USA,84000,37000,121000,43000
Canada,149000,103000,214000,128000" 
| multikv forceheader=1 
| table Country old_limit old_spend_limit new_limit new_spend_limit
| foreach *_spend_limit [ eval "<<MATCHSEG1>>_gap"='<<MATCHSEG1>>_limit'-<<FIELD>>, type=if("<<MATCHSEG1>>"="old", "Pre", "Post"), MV=mvappend(mvzip(mvzip('<<MATCHSEG1>>_gap', '<<FIELD>>', ";"), type, ";"), MV) ]
| fields Country MV
| mvexpand MV
| rex field=MV "(?<gap>[^\;]*);(?<spend>[^\;]*);(?<type>.*)"
| eval Country=Country." ".type
| fields Country gap spend

This just creates a gap;spend field for each type (pre/post) and then expands the pair for each country.

 

Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...