Solved: Help how to create bar chart from two different so...

dhavamanis · ‎10-30-2014

Need a help.

Can you please provide the sample query to draw the bar chart (stacked bar chart) with the below info. We have the two sources and index="idxstaging"

/var/log/idx/dispacher.log
column:
transaction_id
worker_time (number)
database_time (number)
/var/log/idx/api.log

Column:
transaction_id
api_response_time (number)

how can i build a bar chart based on transaction_id from the above column. We want to show the each transaction how long time its spent for worker_time, database_time and api_response_time.

martin_mueller · ‎10-30-2014

Try this:

index=idxstaging (source=/var/log/idx/dispacher.log OR source=/var/log/idx/api.log) | chart sum(worker_time) sum(database_time) sum(api_response_time) by transaction_id

Configure the chart to bar and stacked through the UI.

View solution in original post

martin_mueller · ‎10-30-2014

Try this:

index=idxstaging (source=/var/log/idx/dispacher.log OR source=/var/log/idx/api.log) | chart sum(worker_time) sum(database_time) sum(api_response_time) by transaction_id

Configure the chart to bar and stacked through the UI.

martin_mueller · ‎10-30-2014

I'm pretty sure that order is based on the column names alphabetically, so name them in a way that suits your ordering needs.

dhavamanis · ‎10-30-2014

Thank you, is it possible to show in this order from the bottom, api_response_time, worker_time and database_time (o top). because the database values are very less and not showing any results.

martin_mueller · ‎10-30-2014

Append this to your search:

... | addtotals | sort - Total | fields - Total

dhavamanis · ‎10-30-2014

It works, Thank you so much, how can i order the results based value in the chart. like highest value on top and lowest value to bottom.

Help how to create bar chart from two different source?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life