Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Line graph using csv

sandyjov1
Explorer
‎01-11-2022 10:20 AM

I am attempting to make a line graph with information from a csv w/ info from the past year.

 Nov 2020December 2020January 2021February 2021
Events19957
Cleared3117
Incidents3110
False Positives16847

 

I need each category to have its own line on  a line graph. The Months would be on x axis (nov20-nov21). It doesn't seem complicated, but cant seem to get the results .  Any help would be appreciated. Thanks 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-11-2022 10:49 AM

You need to use transpose, then get rid of some added fields and sort the dates

| makeresults
| eval _raw="Category,November 2020,December 2020,January 2021,February 2021
Events,19,9,5,7
Cleared,3,1,1,7
Incidents,3,1,1,0
False Positives,16,8,4,7"
| multikv forceheader=1
| fields - linecount _raw _time
``` the lines above set up some sample data ```
| transpose 0 header_field=Category column_name=Date
| eval Date=strptime(Date."-01","%B_%Y-%d")
| where isnotnull(Date)
| sort 0 Date
| fieldformat Date=strftime(Date,"%B %Y")

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-11-2022 10:49 AM

You need to use transpose, then get rid of some added fields and sort the dates

| makeresults
| eval _raw="Category,November 2020,December 2020,January 2021,February 2021
Events,19,9,5,7
Cleared,3,1,1,7
Incidents,3,1,1,0
False Positives,16,8,4,7"
| multikv forceheader=1
| fields - linecount _raw _time
``` the lines above set up some sample data ```
| transpose 0 header_field=Category column_name=Date
| eval Date=strptime(Date."-01","%B_%Y-%d")
| where isnotnull(Date)
| sort 0 Date
| fieldformat Date=strftime(Date,"%B %Y")
Reply
Solved! Jump to solution

sandyjov1
Explorer
‎01-11-2022 11:27 AM

Thank you for help!
Is there a better way for me to setup my csv, so that I wouldn't need to transpose?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-11-2022 01:52 PM

Put the dates in the first column and the categories across the top - it depends on how you set it up in the first place

0 Karma
Reply
Solved! Jump to solution

sandyjov1
Explorer
‎01-12-2022 10:06 AM

Thanks, this worked! Appreciate your efforts 🙂

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎01-11-2022 01:50 PM

Transpose the CSV, so the rows are months and the columns are categories. That is how the timechart command will work to produce data for a time based chart where date is on the X axis.

 

Reply
Solved! Jump to solution

sandyjov1
Explorer
‎01-11-2022 02:01 PM

Thanks! 
what would the timechart query look like if I fixed my csv that way?

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎01-11-2022 08:14 PM

If your CSV looks like this

bowesmana_0-1641960560852.png

and it's in a file called events.csv, then all you need is this query

| inputlookup events.csv
| eval Date=strptime(Date."-01","%B %Y-%d")
| sort 0 Date
| table Date *

You don't need to use the timechart as your data is already in the format a timechart would create

@ITWhisperer 's solution is perfectly good for your data as it stands, so unless it makes sense for you to change the data, just use his solution. If you are going to use the data in many places, just create a macro that would do all the initial load and transpose so your query just uses the macro to keep it clean. If you change your data format you just change the macro and everything will continue to work.

 

Reply
Solved! Jump to solution

sandyjov1
Explorer
‎01-12-2022 10:05 AM

Appreciate your help!

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...