Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to create a bar graph based on two fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a bar graph based on two fields
mahbs
Path Finder
12-06-2017
03:33 AM
Hi,
I've got two fields:
04_DEC_2017 05_DEC_2017
5 5
6 6
7 9
I want to create a bar graph with the dates 04_DEC_2017 05_DEC_2017 on the axis and the sum for each field plotted on the graph.
So this is what I've got at the moment:
index=xxxsourcetype=csv source=xxxx| table DEPT, *_2017, *_2018 | fields - 03_DEC_2017 | fillnull | where DEPT=xx OR DEPT=xxOR DEPT=xxOR DEPT=xxOR DEPT=xxOR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx| stats sum(*_2017)
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
12-07-2017
05:29 AM
this will get you a sum of each date by dept (in the transpose, the 0 indicates no limit to how many columns/rows get transposed):
index=xxxsourcetype=csv source=xxxx (DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx)| table DEPT, *_2017, *_2018 | fields - 03_DEC_2017 | fillnull | stats sum(*) as * by DEPT|transpose 0 header_field=DEPT column_name=DEPT
and this should get you the sum for all depts by basically creating a dummy field (called dept) and using that as the by command:
index=xxxsourcetype=csv source=xxxx (DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx)| table DEPT, *_2017, *_2018 | fields - 03_DEC_2017 | fillnull |eval dept="all depts"| stats sum(*) as * by dept|transpose 0 header_field=dept column_name=dept
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
12-06-2017
03:59 AM
Hi @mahbs,
Can you please try below query ?
| makeresults
| eval 04_DEC_17=4, 05_DEC_17=5
| append [ | makeresults | eval 04_DEC_17=4, 05_DEC_17=6 ]
| eval tmp=1
| chart sum(*_17) AS *_17 over tmp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahbs
Path Finder
12-06-2017
04:49 AM
Hi, the query is good, but the only issue is, the dates are automatically populated from data sent by a database periodically.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
12-06-2017
04:57 AM
ok, so can't you run below this query based on query which you provided ?
index=xxxsourcetype=csv source=xxxx| table DEPT, *_2017, *_2018 | fields - 03_DEC_2017 | fillnull | where DEPT=xx OR DEPT=xxOR DEPT=xxOR DEPT=xxOR DEPT=xxOR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx OR DEPT=xx
| eval tmp=1
| chart sum(*_2017) AS *_2017 over tmp
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
