Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create bar chart with time & total amount?

hkchew
New Member
‎05-23-2018 08:45 PM

Under event column, i have these two values:

field_01 field_02
20180524110001 7452
20180524100001 7405
20180524090001 7276

How do I turn them into a bar chart with x-axis = time(per hour) & y-axis= field_02?

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎05-24-2018 12:31 AM

If your _time field value corresponds to your fields_01, then you can do something like this

your current search which includes _time field_01 field_02
| timechart span=1h count by field_02

If its's not and you want to use field_01 value as time, then you can do something like this

your current search which includes _time field_01 field_02
| eval _time=strptime(field_01,"%Y%m%d%H%M%S")  | timechart span=1h count by field_02
0 Karma
Reply

hkchew
New Member
‎05-24-2018 12:51 AM

thanks for the quick response.
but the value of the field_02 is already the total count.
hence is it still possible to plot a bar chart with field_01 & field_02?

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-24-2018 02:48 AM

Then try to use last() instead of sum(), or use max()...

0 Karma
Reply

niketn
Legend
‎05-24-2018 12:44 AM

@hkchew, the values in your question i.e. field_o1 and field_02 are present in your raw events or are generated using Splunk search with some transforming command? The reason why I ask is if you have already used some statistical commands to generate the table, then there might be a possibility to format the results as needed up-front. If they are as they appear in the raw events then you can try the following:

<yourBaseSearch>
| eval _time=strptime(field_01,"%Y%m%d%H%M%S")
| timechart span=1h sum(field_02) as Total

Following is the run anywhere search based on sample data provided:

| makeresults 
| eval data="20180524110001 7452;20180524100001 7405;20180524090001 7276" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval field_01=mvindex(data,0), field_02=mvindex(data,1) 
| fields - data
| eval _time=strptime(field_01,"%Y%m%d%H%M%S")
| timechart span=1h sum(field_02) as Total

@somesoni2, I think sum(field_02) as Total aggregate should be used instead of count by field_02 as field_02 already has the count.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

hkchew
New Member
‎06-04-2018 08:59 PM

@niketnilay it works perfectly but the chart only shows the past records/figures.
how can i show the most recent records/figures on the chart?

0 Karma
Reply

niketn
Legend
‎05-24-2018 12:56 AM

@hkchew try sum(field_02) as per my comment above.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...