Solved: Column chart with two fields sharing one "bucket"

jrs42 · ‎06-13-2024

I have data with two fields that share a static range of 10 values. I'd like to show a column chart with the buckets on the X axis and two bars in each bucket, one for field A, the other for field B.

This doesn't work:

index=foo message="bar"
| stats count as "Field A" by A
| append 
    [ search index=foo message="bar"
      | stats count as "Field B" by B
    ]

I'm sure I'm missing something obvious ...

To reiterate, fields A and B are present in all events returned and share the same "buckets". Call them strings like "Group 1", "Group 2", etc. So A="Group 3" and B="Group 6" could be in the same event and in the chart I should have a count added for Groups 3 for the Field A column and Group 6 for the Field B column.

Thanks!

ITWhisperer · ‎06-13-2024

Try something like this

| eval row=mvrange(0,2)
| mvexpand row
| eval group=if(row=0,A,B)
| eval field=if(row=0,"A","B")
| stats count(eval(field=="A")) as A count(eval(field=="B")) as B by group

View solution in original post

ITWhisperer · ‎06-13-2024

Try something like this

| eval row=mvrange(0,2)
| mvexpand row
| eval group=if(row=0,A,B)
| eval field=if(row=0,"A","B")
| stats count(eval(field=="A")) as A count(eval(field=="B")) as B by group

Column chart with two fields sharing one "bucket"

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation