Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I split a field based on its values and graph as multi-series?

jheney
New Member
‎06-04-2014 10:24 AM

I have a single numeric field that I want to timechart in ranges...i.e. rangemap the field into custom buckets, then timechart with a count by range. Because if the nature of the data, there are WAY more instances of "0" than any other value, making it difficult to interpret the non-zero values. I'd like to treat the 0 values as a different field, then create a timechart that has a count of the 0 values on one Y-axis and a stacked column of the other range values on a second Y-axis. Is such a thing possible? My simple search thus far looks like...

search RF-DELTA| rangemap field=RF-DELTA 0=0-0, 1-10=1-10, 11-20=11-20, 21-30=21-30, 31-40=31-40, 41-50=41-50, default=>50 | timechart span=1d count by range

I guess I need to understand whether I can split out the 0 values as a separate field AND if I can create a multi-axis timechart. Thanks in advance!

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-04-2014 01:45 PM

You can do the multi-axis timechart since Splunk 6.1.

As for splitting the fields, no real need to do that. If you do a count by range you can specify the 0 field to be charted on a second Y-axis as a line on top of your column chart.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...