Solved: Column chart based on field value, without everyth...

jwiley_splunk · ‎03-25-2019

Currently having a hard time figuring out how to create a column chart where the field values show up in the side, so I can color code them in XML.

My query is bringing back the results into a table, which I then pipe into a count command to create this column chart. The chart is exactly the info I want to see, I just can't figure out how to make color code it, since it's all the "count" field in XML.

| Parent search query
| table Name, (other fields)
| stats count by Name

I've looked all over, but just can't figure it out.

renjith_nair · ‎03-25-2019

@jwiley_splunk ,

Try transpose ing it

| Parent search query
| table Name, (other fields)
| stats count by Name
| transpose 0 header_field=Name

Happy Splunking!

View solution in original post

renjith_nair · ‎03-25-2019

@jwiley_splunk ,

Try transpose ing it

| Parent search query
| table Name, (other fields)
| stats count by Name
| transpose 0 header_field=Name

Happy Splunking!

jwiley_splunk · ‎03-25-2019

That's almost perfect!

Is there a way to get the original labels back under the columns?

renjith_nair · ‎03-25-2019

@jwiley_splunk ,
Try this and select "stacked" in the format

 | Parent search query
 | table Name, (other fields)
 | eval _tmp=Name
 | chart count over Name by _tmp

Happy Splunking!

jwiley_splunk · ‎03-25-2019

You're a saint. Thank you so much Renjith!

Column chart based on field value, without everything being the "count" field

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7