Solved: Column chart with two fields sharing one "bucket"

jrs42 · ‎06-13-2024

I have data with two fields that share a static range of 10 values. I'd like to show a column chart with the buckets on the X axis and two bars in each bucket, one for field A, the other for field B.

This doesn't work:

index=foo message="bar"
| stats count as "Field A" by A
| append 
    [ search index=foo message="bar"
      | stats count as "Field B" by B
    ]

I'm sure I'm missing something obvious ...

To reiterate, fields A and B are present in all events returned and share the same "buckets". Call them strings like "Group 1", "Group 2", etc. So A="Group 3" and B="Group 6" could be in the same event and in the chart I should have a count added for Groups 3 for the Field A column and Group 6 for the Field B column.

Thanks!

ITWhisperer · ‎06-13-2024

Try something like this

| eval row=mvrange(0,2)
| mvexpand row
| eval group=if(row=0,A,B)
| eval field=if(row=0,"A","B")
| stats count(eval(field=="A")) as A count(eval(field=="B")) as B by group

View solution in original post

ITWhisperer · ‎06-13-2024

Try something like this

| eval row=mvrange(0,2)
| mvexpand row
| eval group=if(row=0,A,B)
| eval field=if(row=0,"A","B")
| stats count(eval(field=="A")) as A count(eval(field=="B")) as B by group

Column chart with two fields sharing one "bucket"

stats

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Column chart with two fields sharing one "bucket"

stats

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability