Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to make a bar graph for two separate search criteria.

cjpizap
Explorer
‎10-12-2016 08:14 PM

Hello I would like to make a bar graph that show side by side in one column the results for the total number of clicks blocked based on a certain range of ip addresses and another column that shows the number of clicks blocked not in the specified range of ip addresses. Clicks blocked is a specific value of a field called action. I've tried something like
source = "pp.log" action = "CLKBLK" clickIP ="123.456." or clickIP="789." |stats count as local and this returns the number of clicks blocked but when I try to add in the search for clicks blocked not in those ip ranges I get no results found. Any ideas would be greatly appreciated. I feel like I may just be missing something simple.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lquinn
Contributor
‎10-12-2016 09:15 PM

Assuming you want a count of the clicks blocked, split by whether it is in your IP range or not, try using the case command before your count, like this:

source="pp.log"action="CLKBLK" | eval IPType = case(match(clickIP,"123.456"),"InRange",match(clickIP,"789"),"InRange",match(clickIP,"."), "OutOfRange") | stats count by IPType

View solution in original post

Reply
Solved! Jump to solution

gokadroid
Motivator
‎10-13-2016 12:12 AM

Please try this query and choose column chart as visualization:

source = "pp.log" action = "CLKBLK" clickIP ="123.456." OR clickIP="789." 
|stats count as local
|eval reportkey="InRange"
| append [search source = "pp.log" action = "CLKBLK" NOT (clickIP ="123.456." OR clickIP="789.")
|stats count as local
|eval reportkey="OutRange"]
| chart max(local) by reportkey
Reply
Solved! Jump to solution

cjpizap
Explorer
‎10-14-2016 07:13 AM

This also worked really well so even though I can only accept one answer points for you too. Thanks for the help.

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎10-14-2016 06:17 PM

@cjpizap - As long as it worked well that's what we answered for. Thanks a lot for up vote !!

0 Karma
Reply
Solved! Jump to solution
Solution

lquinn
Contributor
‎10-12-2016 09:15 PM

Assuming you want a count of the clicks blocked, split by whether it is in your IP range or not, try using the case command before your count, like this:

source="pp.log"action="CLKBLK" | eval IPType = case(match(clickIP,"123.456"),"InRange",match(clickIP,"789"),"InRange",match(clickIP,"."), "OutOfRange") | stats count by IPType
Reply
Solved! Jump to solution

cjpizap
Explorer
‎10-14-2016 07:12 AM

This worked exactly like I needed thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...