Solved: Chart with count statistics associated time from m...

splunksuperman · ‎10-29-2024

Hi Guys,

I have one master list that inculdes all items, and I want to consolidate two other time-related tables into a single chart, as shown in the example below.

master list

time-related table 1

time-related table 2

result chart

And could I use the chart to produce the pivot chart in Splunk?

ITWhisperer · ‎10-29-2024

Try something like this

| makeresults format=csv data="no,item
1,A
2,B
3,C
4,D
5,E"
| append
    [| makeresults format=csv data="date,item
    2024/10/1,A
    2024/10/1,B
    2024/10/1,C"]
| append
    [| makeresults format=csv data="date,item
    2024/10/2,C
    2024/10/2,D"]
``` The lines above represent your sample data appended together ```
| chart count by item date
| fields - NULL
| untable item date count

View solution in original post

ITWhisperer · ‎10-29-2024

Try something like this

| makeresults format=csv data="no,item
1,A
2,B
3,C
4,D
5,E"
| append
    [| makeresults format=csv data="date,item
    2024/10/1,A
    2024/10/1,B
    2024/10/1,C"]
| append
    [| makeresults format=csv data="date,item
    2024/10/2,C
    2024/10/2,D"]
``` The lines above represent your sample data appended together ```
| chart count by item date
| fields - NULL
| untable item date count

splunksuperman · ‎10-29-2024

You are so great!

Chart with count statistics associated time from multiple table

chart

stats

timechart

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation