Solved: How to chart with 2 different data over a time per...

angersleek · ‎01-27-2020

index=my-index ns=my-namespace app_name=my-api DECISION IN (YES, NO) | chart list(DECISION) BY PRODUCT_ID

For above query, how could I possibly chart it for a query of 90 days. I want the data to be shown weekly. There are 11 possible ids for the value PRODUCT_ID.

Thus total 3 things to consider. PRODUCT_ID (11 types), DECISION (2 types) and the timeline to be shown weekly for a 90 day period.
How can I chart this in Splunk? Bit confused as to what chart would fit this scenario and how to write the query to chart this. Appreciate any advice. Thanks.

to4kawa · ‎01-27-2020

index=my-index ns=my-namespace app_name=my-api DECISION IN (YES, NO)

| fields _time DECISION PRODUCT_ID
| bin span=1d _time
| stats  values(PRODUCT_ID) as PRODUCT_ID by _time DECISION

as you like.

View solution in original post

to4kawa · ‎01-27-2020

index=my-index ns=my-namespace app_name=my-api DECISION IN (YES, NO)

| fields _time DECISION PRODUCT_ID
| bin span=1d _time
| stats  values(PRODUCT_ID) as PRODUCT_ID by _time DECISION

as you like.

skoelpin · ‎01-27-2020

Try this

index=my-index ns=my-namespace app_name=my-api DECISION IN (YES, NO) earliest=-90d@d latest=now
| timechart values(DECISION) BY PRODUCT_ID

How to chart with 2 different data over a time period?

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats