Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Column Chart Stacked based on 4 columns(column 1 has duplicate because of group by 2nd column)

rajg369
Explorer
‎12-16-2021 08:20 AM

e.g query

| makeresults | eval application="FSD", val_1="A", val_2=4839, val_3=5000 | append [| makeresults | eval application="ABC", val_1="B", val_2=1000, val_3=3215] | append [| makeresults | eval application="ABC", val_1="E", val_2=478, val_3=4328] | table application val_1 val_2 val_3 | sort application

above query produces result table
TableTable

 

chart looks like
SC2.PNG

Question: instead of 2 stacked column ABC, i wanted 1 column(ABC) with 4 stacked values(1000,3215,478,4328) and FSD column with 2  stacked values as it is now

Please help

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-17-2021 02:22 AM 
| makeresults | eval application="FSD", val_1="A", val_2=4839, val_3=5000 | append [| makeresults | eval application="ABC", val_1="B", val_2=1000, val_3=3215] | append [| makeresults | eval application="ABC", val_1="E", val_2=478, val_3=4328] | table application val_1 val_2 val_3 | sort application
| streamstats count by application
| eventstats list(val_1) as val_1 by application
| foreach val_*
    [| eval name="copy_<<FIELD>> ".mvindex(val_1,count-1)
    | eval {name}=<<FIELD>>]
| stats values(copy_*) as * by application
| fields - val_1*

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-16-2021 08:55 AM 
| makeresults | eval application="FSD", val_1="A", val_2=4839, val_3=5000 | append [| makeresults | eval application="ABC", val_1="B", val_2=1000, val_3=3215] | append [| makeresults | eval application="ABC", val_1="E", val_2=478, val_3=4328] | table application val_1 val_2 val_3 | sort application
| streamstats count by application
| foreach val_*
    [| eval name="copy_<<FIELD>>_".count
    | eval {name}=<<FIELD>>]
| stats values(copy_*) as * by application
Reply
Solved! Jump to solution

rajg369
Explorer
‎12-16-2021 09:15 PM

Thanks ITWhisperer. It works.

One more question on the same topic. How can I show Val_1(A/B/E...) in tooltip/legend? 

This will help in understanding from the stacked column chart that the
value 1000 is from Application ABC and from B
value 479 is from Application ABC and from E

right now it shows application and val_>2_x(pls refer image below) in both tooltip and legend

Please help

SC3.jpg

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-17-2021 02:22 AM 
| makeresults | eval application="FSD", val_1="A", val_2=4839, val_3=5000 | append [| makeresults | eval application="ABC", val_1="B", val_2=1000, val_3=3215] | append [| makeresults | eval application="ABC", val_1="E", val_2=478, val_3=4328] | table application val_1 val_2 val_3 | sort application
| streamstats count by application
| eventstats list(val_1) as val_1 by application
| foreach val_*
    [| eval name="copy_<<FIELD>> ".mvindex(val_1,count-1)
    | eval {name}=<<FIELD>>]
| stats values(copy_*) as * by application
| fields - val_1*
Reply
Solved! Jump to solution

rajg369
Explorer
‎12-22-2021 05:50 AM

Hi ITWhisperer,

All works fine. The problem now i have is val_4 is also stacked, i don't want val_4 to be stacked or plotted in chart, i just want to show val_4 in tool tip along with the existing tooltip

e.g scenario
Application: ABC
val_2_B is the total time taken to process
val_4: is the total count of val_2_B items that was processed  [expected to show in tooltip and same should not be plotted in chart]

Please let me know if i am not clear

| makeresults
| eval application="FSD", val_1="A", val_2=4839, val_3=5000, val_4=1000
| append
[| makeresults
| eval application="ABC", val_1="B", val_2=1000, val_3=3215,val_4=2000]
| append
[| makeresults
| eval application="ABC", val_1="E", val_2=478, val_3=4328,val_4=3000]
| table application val_1 val_2 val_3 val_4
| sort application
| streamstats count by application
| eventstats list(val_1) as val_1 by application
| foreach val_*
[| eval name="copy_<<FIELD>> ".mvindex(val_1,count-1)
| eval {name}=<<FIELD>>]
| stats values(copy_*) as * by application
| fields - val_1*

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...