Chart Help

Hppjet · ‎11-16-2017

I am not able to get the chart to show the top 10 shop orders with TSY instead it just shows the first 10. Please help.

somesoni2 · ‎11-16-2017

Give this a try

index="all_eqt" 
| stats sum(TotalSquareYards) as TSY by ShopOrder DefectDescription
| appendpipe [| stats sum(TSY) as TSY by ShortOrder | sort 10 -TSY | eval isTop10="Y" | eval isTotalRow="Y" ]
| eventstats values(isTop10) as isTop10 by ShortOrder | where isTop10="Y" AND NOT isTotalRow="Y"
| chart sum(TSY) over ShopOrder by DefectDescription

The appendpipe subsearch will get total TSY by ShortOrder, get top 10 from that and flag those ShortOrders. The eventstats will apply the flag on all matching (top 10) ShortOrders. The where clause will just remove all unnecessary results (not in top 10 and those appendpipe results).

somesoni2 · ‎11-16-2017

Do you want to show top 10 TSY for each ShopOrder?

Hppjet · ‎11-16-2017

I want to show the top 10 shop orders. Then show the sum of the parts that make up the shop order.

niketn · ‎11-23-2017

@Hppjet, were you able to try out any of the answers below? Is your issue resolved?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎11-16-2017

@Hppjet, after sorting results in descending order of TSY, apply streamstats to count occurrence of ShopOrder field as eventcount and apply filter for eventcount <10:

index="all_eqt" 
| stats sum(TotalSquareYards) as TSY by ShopOrder DefectDescription 
| table ShopOrder DefectDescription TSY 
|  sort - TSY
|  streamstats count as eventcount by ShopOrder
|  where eventcount <= 10
|  chart sum(TSY) over ShopOrder by DefectDescription

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Chart Help

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes