I have two separate queries,
Query1:
host="A" OR "B" consumed
| eval consume = case (.............)
| stats count by consumed
Query2:
host="A" OR "B" produced
| eval produce = case (.............)
| stats count by produce
In the visualization tab(column chart) I get two nice chart/graph for each queries.
However, I would like a single chart/graph where both the visualization should come side by side.
Example : In X axis red bar showing the amount produced and a blue bar adjacent to it showing the amount consumed for each product.
@zacksoft, So something like orancon
in your raw data gives oranges consumed
and oranpro
gives you orange produced
. You can try query like the following:
<YourBaseSearch> ("orancon" OR "oranpro")
| stats count(eval(searchmatch("orancon"))) as consumed count(eval(searchmatch("oranpro"))) as produced
Or if you want to show the same over time
<YourBaseSearch> ("orancon" OR "oranpro")
| timechart count(eval(searchmatch("orancon"))) as consumed count(eval(searchmatch("oranpro"))) as produced
@zacksoft, So something like orancon
in your raw data gives oranges consumed
and oranpro
gives you orange produced
. You can try query like the following:
<YourBaseSearch> ("orancon" OR "oranpro")
| stats count(eval(searchmatch("orancon"))) as consumed count(eval(searchmatch("oranpro"))) as produced
Or if you want to show the same over time
<YourBaseSearch> ("orancon" OR "oranpro")
| timechart count(eval(searchmatch("orancon"))) as consumed count(eval(searchmatch("oranpro"))) as produced
Thanks @niketnilay
@zacksoft, you could do as @niketnilay suggests here or you can create a new field for "pro_con" or "action" (call it whatever) with two values "produced" or "consumed" and then you can chart over state. Like this should work
host="A" OR "B" ("orancon" OR "oranpro")
| eval pro_con=case (match(_raw, "orancon"), "consumed", match(_raw, "oranpro"), "produced", 1=1, "UNK")
| timechart count by pro_con
OR
| stats count by pro_con
OR
| chart count over some_other_grouping_field by pro_con
@niketnilay's search is probably more efficient, whereas the above may be more readable. More options to achieve same result.
@sundareshr worked like a charm!!
Thank You @sundareshr
@zacksoft, what is the condition for produced and consumed (your eval command)? Ideally you should use eval after stats if possible from performance point of view. Do you mean by side by side or stacked or overlay? Since your base search remains the same you might get the stats together. But you might have to get some sample data and query for us to assist better.
The eval command goes like this in Query1,
eval consume=case(like(_raw,"%orancon%"),"OrangeConsumed"
in Query2,
eval produce =case(like(_raw,"%oranpro%"),"OrangeProduced"
Yes, I guess overlay or stacked might solve my problem.
Splunk can only come close like this:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/VisualizationTrellis
If you need it more stuck/close together then you will have to use a tool like Sideview Utils or roll your JS/html.