Solved: line graph multiple field values

HansK · ‎06-11-2012

I have a field which contents is a telephone number.

if I do:
host=ivr* | chart sparkline count by FIELDNAME

I get a graph for every FIELDNAME but what I want is a linegraph over time of top 20 FIELDNAME in one linegraph.

any ideas?

HansK · ‎06-11-2012

host=ivr* [search host=ivr* | top 20 FIELDNAME | fields FIELDNAME] | timechart count by FIELDNAME

View solution in original post

HansK · ‎06-11-2012

host=ivr* [search host=ivr* | top 20 FIELDNAME | fields FIELDNAME] | timechart count by FIELDNAME

Ayn · ‎06-11-2012

You can solve this using a subsearch for grabbing the top 20 FIELDNAME values, then use these results in the outer search, so it only looks for data with one of these FIELDNAME values.

host=ivr* [search host=ivr* | top 20 FIELDNAME | fields FIELDNAME] | chart sparkline count

line graph multiple field values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation