Solved: Chart with count statistics associated time from m...

splunksuperman · ‎10-29-2024

Hi Guys,

I have one master list that inculdes all items, and I want to consolidate two other time-related tables into a single chart, as shown in the example below.

master list

time-related table 1

time-related table 2

result chart

And could I use the chart to produce the pivot chart in Splunk?

ITWhisperer · ‎10-29-2024

Try something like this

| makeresults format=csv data="no,item
1,A
2,B
3,C
4,D
5,E"
| append
    [| makeresults format=csv data="date,item
    2024/10/1,A
    2024/10/1,B
    2024/10/1,C"]
| append
    [| makeresults format=csv data="date,item
    2024/10/2,C
    2024/10/2,D"]
``` The lines above represent your sample data appended together ```
| chart count by item date
| fields - NULL
| untable item date count

View solution in original post

ITWhisperer · ‎10-29-2024

Try something like this

| makeresults format=csv data="no,item
1,A
2,B
3,C
4,D
5,E"
| append
    [| makeresults format=csv data="date,item
    2024/10/1,A
    2024/10/1,B
    2024/10/1,C"]
| append
    [| makeresults format=csv data="date,item
    2024/10/2,C
    2024/10/2,D"]
``` The lines above represent your sample data appended together ```
| chart count by item date
| fields - NULL
| untable item date count

splunksuperman · ‎10-29-2024

You are so great!

Chart with count statistics associated time from multiple table

chart

stats

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation