Re: How to chart a table by two parameters

huiminluo · ‎01-06-2021

Hi there,

I have s splunk search command as follows, it have [year_month, service_label, condition, value]

|inputlookup druid_availability_lookup.csv
|stats sum(good_events) as good_events, sum(total) as total by year_month
|eval service_label = "Druid Data Service-availablity", value=round((good_events/total)*100, 2), condition= if(value<=100, "Fail","")
|table year_month, service_label, condition, value

And i want to displays this result by year_month, when i append commans [|chart values(value) over service_label by year_month] , it will displays as follows, the condition column will be losed.

Is there any methods that can display the result by year_month and also include the condition parameters, thanks

ericjorgensenjr · ‎01-06-2021

Another option if you don't plan on turning this into a graph and will only be using the chart itself:

| eval service_label = "Druid Data Service-availability", value=round((good_events/total)*100,2), condition=if(value<=100,"Fail",""),value=if(condition="",value,value." (".condition.")")

saravanan90 · ‎01-06-2021

Please check if the below query helps.

| makeresults
| eval _raw="year_month service_label condition value
2020-10 Drudit fail 100.0
2020-11 Drudit fail 100.0
2020-12 Drudit fail 100.0"
| multikv forceheader=1
| table year_month condition service_label value
| transpose header_field=year_month
| rename column as temp

-----------------------------------------------------------

An upvote would be appreciated if the above reply is useful to you.

How to chart a table by two parameters

chart

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio