Hello Splunkers!!
I want to achieve below screenshot visualization.
Below is my current query :
======================================================
index=ABC
sourcetype=ReplenishmentOrderAssign OR sourcetype=ReplenishmentOrderCompleted OR sourcetype=ReplenishmentOrderStarted OR sourcetype=ReplenishmentOrderCancel
| rex field=_raw "SenderFmInstanceName\>(?P<Workstation>[A-Za-z0-9]+\/[A-Za-z0-9]+)\<\/SenderFmInstanceName"
| rename ReplenishmentOrderAssign.OrderId as OrderId
| eval TimeAssigned=if(like(sourcetype,"%Assign"),_time,null) , TimeStarted=if(like(sourcetype,"%Started"),_time,null), TimeCompleted=if(like(sourcetype,"%Completed"),_time,null)
| eventstats count(OrderId) as CountOrderTypes by OrderId
| timechart span=5m count(TimeAssigned) as Assigned count(TimeStarted) as Started count(TimeCompleted) as Completed by Workstation
| streamstats sum(*)
| foreach "sum(Assigned:*)"
[| eval <<MATCHSEG1>>Assigned='<<FIELD>>'-'sum(Completed:<<MATCHSEG1>>)']
| foreach "sum(Started:*)"
[| eval <<MATCHSEG1>>Started='<<FIELD>>'-'sum(Completed:<<MATCHSEG1>>)']
| fields _time DEP*
| foreach "DEP/*"
[| eval <<MATCHSEG1>>=if('<<FIELD>>'>0,1,0)]
| fields - DEP/*
| foreach "*Assigned"
[| eval <<FIELD>>='<<FIELD>>'-'<<MATCHSEG1>>Started']
| foreach "*Assigned"
[| eval <<MATCHSEG1>>Idle=1-'<<FIELD>>'-'<<MATCHSEG1>>Started']
| addtotals *Started fieldname=Active
| addtotals *Assigned fieldname=Assigned
| addtotals *Idle fieldname=Idle
| fields _time Idle Assigned Active
| bin span=$span$ _time
| eventstats sum(*) as * by _time
| dedup _timeCurrent query is giving me below visualization. Please help me where I need to change in the query to get the above visualization?
