Hi Splunkers.
I'm trying to get event counts for timechart values displayed in the legend.
i.e. In the legend I want to display the event count, in addition to each value.
I am trying to include the count due to a couple of values on the timechart hiding others, having a much higher record count in comparison the the rest.
I am already doing something similar for a pie chart:
[query] | stats count by my_fieldname | eval my_fieldname=my_fieldname.", ".count
(...with the eval command appending the count to the value displayed in the legend)
I don't seem to be able to get this working for a timechart. If I do the following, I end up with only one value appearing in the legend as "NULL"
[query] | eval my_fieldname=my_fieldname.", ".count | timechart count by responsestatus
I'm pretty sure this has to be manipulated before the timechart as there don't seem to be any timechart options to include the record count.
Hi @splunk_svc
Is it this what you are looking for ? This is a working example.
index=_internal | eventstats count by sourcetype | eval my_fieldname=sourcetype.", ".count | timechart count by my_fieldname
Hope it helps.
Edit: query outcome
Hi @splunk_svc
Is it this what you are looking for ? This is a working example.
index=_internal | eventstats count by sourcetype | eval my_fieldname=sourcetype.", ".count | timechart count by my_fieldname
Hope it helps.
Edit: query outcome
Thanks alemarzu.
I gave that a go.
I get a single entry in the legend of "VALUE_json" with a total of all events found.
(There should be three values in the legend)
I tried it again and replaced "eval my_fieldname=sourcetype" with "eval my_fieldname=my_fieldname".
I now get the three values listed in the legend but beside each is a the same event count. i.e. the total event count across all three values.
Can you show me how did you adapt the query I've posted or some data samples ?
are you doing:
index=_internal | eventstats count by my_fieldname| eval my_fieldname=sourcetype.", ".count | timechart count by my_fieldname
Got it.
Using "sourcetype" in the query was converting the value label into "_json".
Replacing sourcetype in alemarzu's query above with my_fieldname did the trick.
Thanks folks.
Nice, im glad it helped. Happy splunking!