Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I make a different bar chart for each day in a given timerange ?

sandeepmakkena
Contributor
‎10-10-2018 08:32 AM

mysearch

| eval Status=if(like(_raw, "%POSTING:SUCCEEDED%"), "2.Successful transactions" , "1.Rejected Transactions") 
| timechart count by Status span=1hr | timewrap 1day

I am trying to compare today's total successful transactions and rejected transactions with past 2days, past3days...past7days. I am trying to use the above query, but it is getting me a separate bar graph from successful and rejected( I want them to be stacked) Please help me achieve this.
Thank you.,

0 Karma
Reply

Vijeta
Influencer
‎10-10-2018 08:46 AM

You can change the format to stack mode from Visualization format.

0 Karma
Reply

sandeepmakkena
Contributor
‎10-10-2018 08:55 AM

I tried that it didnot work. It is giving me a big bar graph will all days selected with different colors.

0 Karma
Reply

Vijeta
Influencer
‎10-10-2018 09:30 AM

You need to combine last 2 days as one , you can do that by renaming and eval. Also since you are comparing current date with last 2 days
|rename "2.Successful transactions_1day_before" as Last_Success_1, rename "1.Rejected Transactions_1day_before" as Last_Rejected_1, "2.Successful transactions_2day_before" as Last_Success_2, rename "1.Rejected Ttransactions_2day_before" as Last_Rejected_2
|eval Last_Success=Last_Success_1 + Last_Success_2
|eval Last_Rejected= Last_Rejected_1 + Last_Rejected_2
| fields _time Last_Success Last_Rejected 2.Successful transactions_latest_day "1.Rejected Transactions_latest_day"

0 Karma
Reply

sandeepmakkena
Contributor
‎10-10-2018 10:07 AM

Thanks for the info, but let’s say if I want to compare last 7days should I keep on renaming all the days If so I think there should be a better way. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...