Dashboards & Visualizations

How to include another field into the visual

Explorer

I'm working with dashboards and the goal is to show a bar graph panel that displays the counts for two different fields separately
(2 bars per timespan) if possible.
The data is from the same index...the actions field(action=blocked) and category field (category=221)

I can build a visual for each individual field but having trouble combining the two.

index=url_filter action=blocked login_id="$user$"|stats count by _time |bucket _time span=1h 

I have another field not exclusive to field [action=blocked] that id like to display as well.
Any tips appreciated.

0 Karma
1 Solution

Esteemed Legend

Like this:

index="url_filter" AND login_id="$user$" AND (action="blocked" OR category="221")
| bucket _time span=1h
| stats count(eval(action="blocked")) AS blocked count(eval(category="221")) AS count221 BY _time

OR

index="url_filter" AND login_id="$user$" AND (action="blocked" OR category="221")
| timechart span=1h count(eval(action="blocked")) AS blocked count(eval(category="221")) AS count221

View solution in original post

Explorer

sorry for leaving it out but a sample search for category would have been

index=urlfilter category=221 loginid="$user$"|stats count by _time |bucket _time span=1h

these answers have definitely put me on the right track with the eval

0 Karma

Esteemed Legend

Do the bucket earlier. See my answer.

0 Karma

SplunkTrust
SplunkTrust

Try like this (assuming calculation of count independently for both conditions). You didn't provide a query for calculation of category=221, I'm just using filter based on field category, adjust the query per yours)

index=url_filter (action=blocked login_id="$user$") OR (category=221)
| eval CountBlocked=if(action="blocked",1,0) , CountCat221=if(category=221,1,0)
| timechart span=1h sum(CountBlocked) as CountBlocked sum(CountCat221) as CountCat221

Esteemed Legend

Like this:

index="url_filter" AND login_id="$user$" AND (action="blocked" OR category="221")
| bucket _time span=1h
| stats count(eval(action="blocked")) AS blocked count(eval(category="221")) AS count221 BY _time

OR

index="url_filter" AND login_id="$user$" AND (action="blocked" OR category="221")
| timechart span=1h count(eval(action="blocked")) AS blocked count(eval(category="221")) AS count221

View solution in original post

Explorer

this solution worked and is simplified, than you both for the answers

0 Karma

Esteemed Legend

Be sure to come back here and click Accept to close the question and also UpVote any answers or comments that were useful.

0 Karma