Splunk Search

Bar chart with non-numeric data

b1388035
Explorer

I'm looking to create a grouped bar chart from data in the following format:

---- ID Results

1: AAA, B321

2: AAA, A918

3: AAA, C391

4: BBB, A918

5: BBB, C391

6: CCC, B321

7: CCC, A918

Essentially I would like to easily visualize which ID has the same results. My idea is to have a bar chart with the IDs listed along the 'X' and then above each ID a 1 unit stacked colour bar representing a result.

If I run a search for:

Results=* | chart Values(Result) by ID

I get the table shown below but the graph view is just axis.

ID ---------Results

AAA---------B321, A918, C391

BBB---------A918, C391

CCC---------B321, A918,

Tags (2)
1 Solution

cphair
Builder

Try


... | chart dc(Results) over ID by Results

and make it a stacked bar graph. You may have to set limit=X to see everything if you have a lot of values.

View solution in original post

cphair
Builder

Try


... | chart dc(Results) over ID by Results

and make it a stacked bar graph. You may have to set limit=X to see everything if you have a lot of values.

b1388035
Explorer

The source data is something like:
1: AAA, B321
2: AAA, A918
3: AAA, C391
4: BBB, A918
5: BBB, C391
6: CCC, B321
7: CCC, A918

0 Karma

jkat54
SplunkTrust
SplunkTrust

I'm not certain that you are providing the source data. It appears you're providing what splunk gives you when you run the search string you've listed. We need the source data that you're running the search string on in order to help you.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...