Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create TimeSpan Line Chart After Eval-ing

migquinn
Engager
‎06-08-2019 07:21 PM

Do any experienced Splunkers know what needs to be changed to my query below in order to create a TimeSpan Line Chart over say the past 30 days for counts of the four Severity levels created by the Eval command?

index=myIndex source=mySource host=myHost sourcetype=mySourceType | stats count(eval(severity="0" OR severity="1" OR severity="2")) as Low count(eval(severity="3" OR severity="4" OR severity="5")) as Medium count(eval(severity="6" OR severity="7" OR severity="8")) as High count(eval(severity="9" OR severity="10")) as Critical | table Low Medium High Critical | transpose | rename column as Severity "row 1" as Count

I have attached a screenshot and instead of the values on the right-hand side being 1 - 10, I'd like them to be Low, Medium etc...

Thanks in advance

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2019 10:33 AM

Try this untested query:

index=myIndex source=mySource host=myHost sourcetype=mySourceType 
| eval Severity=case(severity="0" OR severity="1" OR severity="2"), "Low", (severity="3" OR severity="4" OR severity="5"), "Medium", (severity="6" OR severity="7" OR severity="8"), "High", (severity="9" OR severity="10"), "Critical") 
| timechart count as Count by Severity
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2019 10:33 AM

Try this untested query:

index=myIndex source=mySource host=myHost sourcetype=mySourceType 
| eval Severity=case(severity="0" OR severity="1" OR severity="2"), "Low", (severity="3" OR severity="4" OR severity="5"), "Medium", (severity="6" OR severity="7" OR severity="8"), "High", (severity="9" OR severity="10"), "Critical") 
| timechart count as Count by Severity
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

migquinn
Engager
‎06-12-2019 04:31 PM

Thanks for the input. It didn't work when I tried it but I took your command, switched it up a little and positioned it further up the query and it worked:

index=myIndex source=mySource host=myHost sourcetype=mySourceType | timechart count(eval(severity="0" OR severity="1" OR severity="2")) as Low count(eval(severity="3" OR severity="4" OR severity="5")) as Medium count(eval(severity="6" OR severity="7" OR severity="8")) as High count(eval(severity="9" OR severity="10")) as Critical

Again, thanks for your help on this!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-15-2019 04:10 AM

@migquinn If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...