Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

Multi-variable Bar Graph

JoshuaJohn
Contributor
‎06-05-2017 12:39 PM

Hi I am trying to make a multi-variable bar graph (Similar to the image below)
alt text

The first bar would be a static number: 22500

The second bar would be this search:
| inputlookup Report.csv | search u_last_policyrequest_time=*| fields u_last_policyrequest_time| eval Last_Policy_Request = strptime(u_last_policyrequest_time, "%m/%d/%Y %H:%M") | where Last_Policy_Request > relative_time(now(),"-48h")

The third bar would be this search: |inputlookup Report.csv|rename u_wifi_mac_address as Mac_Address | stats count as ActiveDevices by Mac_Address|stats sum(ActiveDevices) as SNTotal_Asset_Records|table SNTotal_Asset_Records

The fourth bar would be this search: |inputlookup Report.csv|rename u_wifi_mac_address as Mac_Address | stats count as ActiveDevices by Mac_Address|stats sum(ActiveDevices) as ActiveDevices | eval No_Record = 22500-ActiveDevices |table No_Record

I am not sure if it is possible to combine them like this. All of these results come from the same place.

0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution

Re: Multi-variable Bar Graph

DalJeanis
SplunkTrust
SplunkTrust
‎06-05-2017 02:15 PM

Lots of ways to do this, here's one...

| inputlookup Report.csv 
| search u_last_policyrequest_time=*  OR isnotnull(u_wifi_mac_address)
| eval Last_Policy_Request = strptime(u_last_policyrequest_time, "%m/%d/%Y %H:%M") 
| eval policyCount=if(Last_Policy_Request > relative_time(now(),"-48h"),1,0)
| eval macCount=if(isnotnull(u_wifi_mac_address),1,0)
| stats sum(policyCount) as bar2, sum(macCount) as bar3
| eval bar1=22500
| eval bar4=bar1-bar3
0 Karma
Reply
Highlighted
Solved! Jump to solution
Solution

Re: Multi-variable Bar Graph

somesoni2
SplunkTrust
SplunkTrust
‎06-05-2017 03:11 PM

Another version

| inputlookup Report.csv
| stats count(eval(strptime(u_last_policyrequest_time,"%m/%d/%Y %H:%M")>relative_time(now(),"-48h")))) as Policy_Request_last2days
count(Mac_Address) as SNTotal_Asset_Records
| eval No_Record=22500-SNTotal_Asset_Records
| eval BaseBar=22500
| table BaseBar Policy_Request_last2days SNTotal_Asset_Records No_Record

View solution in original post

Reply
Highlighted
Solved! Jump to solution

Re: Multi-variable Bar Graph

DalJeanis
SplunkTrust
SplunkTrust
‎06-05-2017 05:05 PM

Heh. I need to practice typing | stats count(eval(blahblahblah)) until I have convinced myself that the code will actually run...

0 Karma
Reply