Solved: Legends in bar chart

erkin · ‎03-18-2024

Hi, Im a novice to Splunk and i have a question regarding visualization.

I have my query like this:

|...myBaseQuery
| chart c as "Count" by category

This results in me only having one legend in my visualization, "Count". I was wondering if there's any way to get the all the values as a legend on the right (see image) ?

I realized this is possible when i also use the retailUnit in the chart command:

|...myBaseQuery
| chart c as "Count" by retailUnit category

Then I get one label for each category (see image), but i want to achieve this without sorting on retailUnit.

Is this possible?

ITWhisperer · ‎03-18-2024

Do you mean something like this

| eval static="Category"
| chart count by static category

View solution in original post

erkin · ‎03-18-2024

Yes! Exactly what I need, thank you.

Now the only issue I'm having is that I'm no longer available to sort the bar chart in descending order. Earlier I used to do | sort -count, but that doesn't seem to work using static

ITWhisperer · ‎03-18-2024

Yes, chart will sort the columns by name. In order to get around this, you need to use transpose

| eval static="Category"
| chart count by static category
| transpose header_field=static column_name=category
| sort - Category
| transpose header_field=category column_name=static

ITWhisperer · ‎03-18-2024

Do you mean something like this

| eval static="Category"
| chart count by static category

Legends in bar chart

chart

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector