Solved: How to creat a chart over multiple fields?

NathanAsh · ‎07-13-2023

hi

I need some thing like the following one as the final output

I have tried some thing like this...but not the one i expected...

....query | chart values(percent) over svc by ResponseCode

is it possible to include something like this, checked and its not working...

....query | chart values(percent) over Channel,svc by ResponseCode

Thanks

ITWhisperer · ‎07-14-2023

Try something like this

| stats values(percent) as percent by Channel,svc,ResponseCode
| eval {ResponseCode} = percent
| fields - ResponseCode percent
| stats values(*) as * by Channel,svc
| fillnull value=0

View solution in original post

PickleRick · ‎07-14-2023

As @gcusello said - it doesn't work this way in Splunk. It's indeed not Excel, but that's not the _reason_. It's just that it's impossible to have such relationship between separate rows of results - in Splunk every result is an entity in its own rights so you can't "make" one result row to "stick" with another one.

Maybe - just maybe - someone did a custom visualization which merges cells on presentation but I doubt that.

You can use multivalue functions to simulate this behaviour to some extent but this functionality is very limited and doesn't allow for - for example - reordering several columns "together". It doesn't work well with "holes" in the results either.

ITWhisperer · ‎07-14-2023

Try something like this

| stats values(percent) as percent by Channel,svc,ResponseCode
| eval {ResponseCode} = percent
| fields - ResponseCode percent
| stats values(*) as * by Channel,svc
| fillnull value=0

NathanAsh · ‎08-08-2023

Hi,

I have another query in connection with these queries output. Don't know whether to open another request or continue with this..

Let me brief the requirements here,

I am planning to create an alert based on the above query results, in that i need to include the trigger condition as response code 200's value less than 85% records to be mailed. how do I go about configuring the trigger condition. I am just trying search 200<85, yet to see the alert being generated.

Can you please help me with that?

Thanks

gcusello · ‎08-09-2023

Hi @NathanAsh ,

it's always better to open a new question to have a quicker and maybe better answer.

Always remember to accept one answer for te other people of the Community and giving Karma Points to all the Contributors.

Anyway, I hint to insert the condition in the alert search and configure your alert when there are results.

Ciao.

Giuseppe

NathanAsh · ‎08-09-2023

Hi,

Thanks. Yes, finally I did that already its working fine. Even that search custom query was working , it got messed up in the mail filtering rules. Thanks for your suggestions .

NathanAsh · ‎08-03-2023

Thanks, something better results

gcusello · ‎08-03-2023

Hi @NathanAsh ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

gcusello · ‎07-13-2023

Hi @NathanAsh,

Splunk isn't Excel, so it isn't possible to exactly have this output.

You have only one workaround:

having the channel value in each row, in the same field of the ResponseCode:

| eval Column= Channel." - ".svc
| chart values(percent) over Column by ResponseCode

Ciao.

Giuseppe

How to creat a chart over multiple fields?

chart

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?