Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Creating a bar chart with multiple fields

andrwbn
Engager
‎01-08-2017 11:17 AM

I am trying to create a bar chart displaying the amount of active users the past 1 hour, 24 hour, and 1 week.

How would I go about doing this?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-08-2017 04:27 PM

If you have the keywords to detect and filter out unique active users then you can follow below approach assuming field user identifies a user:

index= yourIndex earliest=-1h your query to return active user
| dedup user
| stats count as ActiveUser
| eval reportKey="Last1Hour"
| append [ search  index= yourIndex earliest=-24h your query to return active user
| dedup user
| stats count as ActiveUser
| eval reportKey="Last24Hour" ]
| append [ search index= yourIndex earliest=-7d your query to return active user
| dedup user
| stats count as ActiveUser
| eval reportKey="Last1Week" ]
| chart ActiveUser over reportKey

View solution in original post

Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-08-2017 04:27 PM

If you have the keywords to detect and filter out unique active users then you can follow below approach assuming field user identifies a user:

index= yourIndex earliest=-1h your query to return active user
| dedup user
| stats count as ActiveUser
| eval reportKey="Last1Hour"
| append [ search  index= yourIndex earliest=-24h your query to return active user
| dedup user
| stats count as ActiveUser
| eval reportKey="Last24Hour" ]
| append [ search index= yourIndex earliest=-7d your query to return active user
| dedup user
| stats count as ActiveUser
| eval reportKey="Last1Week" ]
| chart ActiveUser over reportKey
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-08-2017 04:09 PM

Give this a try

Updated
Thanks @gokadroid for pointing out the flaw in the previous answer.

your base search earliest=-7d| eval Period=case(_time>=relative_time(now(),"-1h"),"1#Last 1 Hour"),_time>=relative_time(now(),"-24h"),"2#Last 24 Hour",1=1,"3#Last 1 Week") | stats count(UserField) as active_users by Period
| accum active_users | eval Period=mvindex(split(Period,"#"),1)
Reply
Solved! Jump to solution

gokadroid
Motivator
‎01-08-2017 04:30 PM

Should not the last one hour users be also part of last 24 hours? and so shall be the last 24 hours part of last 7days? Just thinking!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...