Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create bar chart with time & total amount?

hkchew
New Member
‎05-23-2018 08:45 PM

Under event column, i have these two values:

field_01 field_02
20180524110001 7452
20180524100001 7405
20180524090001 7276

How do I turn them into a bar chart with x-axis = time(per hour) & y-axis= field_02?

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎05-24-2018 12:31 AM

If your _time field value corresponds to your fields_01, then you can do something like this

your current search which includes _time field_01 field_02
| timechart span=1h count by field_02

If its's not and you want to use field_01 value as time, then you can do something like this

your current search which includes _time field_01 field_02
| eval _time=strptime(field_01,"%Y%m%d%H%M%S")  | timechart span=1h count by field_02
0 Karma
Reply

hkchew
New Member
‎05-24-2018 12:51 AM

thanks for the quick response.
but the value of the field_02 is already the total count.
hence is it still possible to plot a bar chart with field_01 & field_02?

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-24-2018 02:48 AM

Then try to use last() instead of sum(), or use max()...

0 Karma
Reply

niketn
Legend
‎05-24-2018 12:44 AM

@hkchew, the values in your question i.e. field_o1 and field_02 are present in your raw events or are generated using Splunk search with some transforming command? The reason why I ask is if you have already used some statistical commands to generate the table, then there might be a possibility to format the results as needed up-front. If they are as they appear in the raw events then you can try the following:

<yourBaseSearch>
| eval _time=strptime(field_01,"%Y%m%d%H%M%S")
| timechart span=1h sum(field_02) as Total

Following is the run anywhere search based on sample data provided:

| makeresults 
| eval data="20180524110001 7452;20180524100001 7405;20180524090001 7276" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval field_01=mvindex(data,0), field_02=mvindex(data,1) 
| fields - data
| eval _time=strptime(field_01,"%Y%m%d%H%M%S")
| timechart span=1h sum(field_02) as Total

@somesoni2, I think sum(field_02) as Total aggregate should be used instead of count by field_02 as field_02 already has the count.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

hkchew
New Member
‎06-04-2018 08:59 PM

@niketnilay it works perfectly but the chart only shows the past records/figures.
how can i show the most recent records/figures on the chart?

0 Karma
Reply

niketn
Legend
‎05-24-2018 12:56 AM

@hkchew try sum(field_02) as per my comment above.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...