Solved: Column chart with two fields sharing one "bucket"

jrs42 · ‎06-13-2024

I have data with two fields that share a static range of 10 values. I'd like to show a column chart with the buckets on the X axis and two bars in each bucket, one for field A, the other for field B.

This doesn't work:

index=foo message="bar"
| stats count as "Field A" by A
| append 
    [ search index=foo message="bar"
      | stats count as "Field B" by B
    ]

I'm sure I'm missing something obvious ...

To reiterate, fields A and B are present in all events returned and share the same "buckets". Call them strings like "Group 1", "Group 2", etc. So A="Group 3" and B="Group 6" could be in the same event and in the chart I should have a count added for Groups 3 for the Field A column and Group 6 for the Field B column.

Thanks!

ITWhisperer · ‎06-13-2024

Try something like this

| eval row=mvrange(0,2)
| mvexpand row
| eval group=if(row=0,A,B)
| eval field=if(row=0,"A","B")
| stats count(eval(field=="A")) as A count(eval(field=="B")) as B by group

View solution in original post

ITWhisperer · ‎06-13-2024

Try something like this

| eval row=mvrange(0,2)
| mvexpand row
| eval group=if(row=0,A,B)
| eval field=if(row=0,"A","B")
| stats count(eval(field=="A")) as A count(eval(field=="B")) as B by group

Column chart with two fields sharing one "bucket"

stats

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake