Dashboards & Visualizations

## I have two fields Field-A and Field-B . Filed-A with numerical values , and Field-B with characters/words..how can i have a barchart with X-axis = Field-B values and Y-axis = Field-A values.

New Member

Tags (2)
Motivator

Assuming your fields do NOT have multivalues, give this a shot: `...| chart list(Fieild-A) as Field-A by Field-B`

New Member

Thanks surya ,

I already tried "...| chart list(Fieild-A) as Field-A by Field-B" , did not help.

The output contains rows where each row of Field-A maps to all the rows of Field-B

Splunk Employee

hi @brahmasa,

Thanks for posting. Did @cusello 's fix work? If so, approve his answer and give him an upvote. Otherwise, let us know how your problem is and so others can try to help out!

Legend

Hi brahmasa,
try something like this:

``````index=my_index
| stats sum(Field-A) AS Field-A BY Field-B
``````

then you can represent it as an histogram.
Bye.
Giuseppe

New Member

Hi Giuseppe,

sorry if I wasn't clear. below is exactly what I want.

New Member

ok, but the value 12 for January is from a single row or it's the sum of more rows?
this is the main question: if it's a single value, you have to use:

``````index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A
``````

if instead it's the sum of more rows, you have to use:

``````index=my_index
| stats sum(Field-A) AS Field-A BY Field-B
``````

Bye.
Giuseppe

New Member

Hi Giuseppe,

Field-A and Field-B values are extracted by regx by me from logs. There is no sum .
index **|
| rex field=raw "(?\s+\d{1,4}\s\w\w\s+|\s+\w+.\w+)" maxmatch=50
| rex field=Afields (?\d+)
| rex field=Afields (?\s\w+.\w+)
| table Field-A Field-B

Legend

Sorry if I cannot reach to explain:
I understand that Field-A and Field-B are extracted from your logs by regex.
The answer is related to the result you want:
e.g. the value "asssd" (that's in your previous message) has values 10, 4, 62, 87, what's the result you want:

• one row with the sum of all values
asssd 163
• one row with the higher value asssd 87
• one row with each value: asssd 10 asssd 4 asssd 62 asssd 87

?

Bye.
Giuseppe

New Member

Hi Giuseppe,

. one row with each value will be correct.

asssd 10
asssd 4
asssd 62
asssd 87

Thanks,

Legend

Hi brahmasa,
OK, try this:

``````   index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A
``````

and the visualize results using Histograms.

Bye.
Giuseppe

New Member

Thanks Giuseppe, ya have more rows. when I use

index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A I get the below as output.

10 abcdef
10 ddkjh
10 asasd
10 nanko
10 asssd
10 ddggg
10 fffff
10 fffht
10 xxxcc
4 abcdef
4 ddkjh
4 asasd
4 nanko
4 asssd
4 ddggg
4 fffff
4 fffht
4 xxxcc
62 abcdef
62 ddkjh
62 asasd
62 nanko
62 asssd
62 ddggg
62 fffff
62 fffht
62 xxxcc
87 abcdef
87 ddkjh
87 asasd
87 nanko
87 asssd
87 ddggg
87 fffff
87 fffht
87 xxxcc

New Member

Thanks Giuseppe,
The sum function returns some weird values as below .
eg:
1830
1830
1830
3660
1830
1830
1830
1830
3660
3660
1830
1830
1830
1830
3660
3660
1830
1830

Field-A contains below digits
10
4
62
87
79
22
57
6
1120
39
57
11
60
6
4
30
4
6
7

Legend

Hi brahmasa,
have you more rows for the same value in Field-B?
if yes in this way you have the sum of each value.

in instead you want a row for each record (also duplicated values), you could run something like this:

``````index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A
``````

Bye.
Giuseppe

Legend

• do you want a row for each Field-B (in this way you could have more rows for each Field-B);
• or a row for each distinct value of Field-B with the sum of all Field-A related to that Field-B.

In the first case you have to use

``````index=my_index
| stats values(Field-A) AS A BY Field-B Field-A
| fields - A
``````

In the second case you have to use

``````index=my_index
| stats sum(Field-A) AS Field-A BY Field-B
``````

Bye.
Giuseppe