Dashboards & Visualizations

Splunk Visualization is not giving below results

uagraw01
Motivator

Hello Splunkers!!

I want to achieve below screenshot visualization. 

uagraw01_0-1713357668754.png

 

Below is my current query :

======================================================

index=ABC
sourcetype=ReplenishmentOrderAssign OR sourcetype=ReplenishmentOrderCompleted OR sourcetype=ReplenishmentOrderStarted OR sourcetype=ReplenishmentOrderCancel
| rex field=_raw "SenderFmInstanceName\>(?P<Workstation>[A-Za-z0-9]+\/[A-Za-z0-9]+)\<\/SenderFmInstanceName"
| rename ReplenishmentOrderAssign.OrderId as OrderId
| eval TimeAssigned=if(like(sourcetype,"%Assign"),_time,null) , TimeStarted=if(like(sourcetype,"%Started"),_time,null), TimeCompleted=if(like(sourcetype,"%Completed"),_time,null)
| eventstats count(OrderId) as CountOrderTypes by OrderId
| timechart span=5m count(TimeAssigned) as Assigned count(TimeStarted) as Started count(TimeCompleted) as Completed by Workstation
| streamstats sum(*)
| foreach "sum(Assigned:*)"
[| eval <<MATCHSEG1>>Assigned='<<FIELD>>'-'sum(Completed:<<MATCHSEG1>>)']
| foreach "sum(Started:*)"
[| eval <<MATCHSEG1>>Started='<<FIELD>>'-'sum(Completed:<<MATCHSEG1>>)']
| fields _time DEP*
| foreach "DEP/*"
[| eval <<MATCHSEG1>>=if('<<FIELD>>'>0,1,0)]
| fields - DEP/*
| foreach "*Assigned"
[| eval <<FIELD>>='<<FIELD>>'-'<<MATCHSEG1>>Started']
| foreach "*Assigned"
[| eval <<MATCHSEG1>>Idle=1-'<<FIELD>>'-'<<MATCHSEG1>>Started']
| addtotals *Started fieldname=Active
| addtotals *Assigned fieldname=Assigned
| addtotals *Idle fieldname=Idle
| fields _time Idle Assigned Active
| bin span=$span$ _time
| eventstats sum(*) as * by _time
| dedup _time

Current query is giving me below visualization. Please help me where I need to change in the query to get the above visualization?

uagraw01_0-1713357527227.png

 

0 Karma

uagraw01
Motivator

Is there anybody who can help me here ?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...