Hi,
index="sh" sourcetype="xml" status=* (Group="Connect" OR Group="health") AND (Section="Site" OR Section="Local") AND (Component="test" OR Component="test1")|dedup _time,Case|where Created_ON=Updated_ON|table _time,Cretaed_ON,Updated_ON
I want a bar graph based on the Group wise trend weekly wise for the last 3 months.
bar should display for sameday(current day cases creation),1-2 days(within 2 days creation),(2-5 days),(5-7 days) like this in x axis
different colors showing different groups.
How do you do this? Please help how to form the query
You will need to create a calculated field that tells you how many days ago the event occurred and then use the charts command to aggregate on the days_ago field that you have created and the field you would like to split your series. Here is an example using the internal logs where I split by the log_level field.
index=_internal sourcetype=splunkd
| eval days = (Now() - _time) /86400
| eval days_ago = case(days > 5, "5+ days", days < 5 AND days > 3, "3-5 days", days < 3 AND days > 1, "1-3 Days", days < 1, "Less than 1 Day")
| chart count by days_ago log_level
Then click on the visualization tab > format > general and select "stacked" for stack mode
You will need to create a calculated field that tells you how many days ago the event occurred and then use the charts command to aggregate on the days_ago field that you have created and the field you would like to split your series. Here is an example using the internal logs where I split by the log_level field.
index=_internal sourcetype=splunkd
| eval days = (Now() - _time) /86400
| eval days_ago = case(days > 5, "5+ days", days < 5 AND days > 3, "3-5 days", days < 3 AND days > 1, "1-3 Days", days < 1, "Less than 1 Day")
| chart count by days_ago log_level
Then click on the visualization tab > format > general and select "stacked" for stack mode
