Filter a chart?


A version of the following query gives me just what I'm looking for (although a much larger chart):

index="foo" search_text | chart count by result version

returns something like

| A |1823| 283|  12| 941|
| B | 923|  23|   2| 193|
| C | 810|  74|   1| 324|
| D |1192|   2|   6|  90|

The one thing I still need to do is to filter out entire columns based on an arbitrary value (say, the count of A for a particular version is less than 100). For example, v1.3 has only 12 instances of result 'A', so this chart should only show columns for v1.1, v1.2, and v1.4.

Re: Filter a chart?

Splunk Employee

Assuming you want this procedure to be fully automated, you can do something like:

index=foo search_text
| stats count by result version
| eventstats sum(count) as version_count by version
| search version_count > 100
| chart sum(count) by result version

This filters out columns whose column sum is > 100.

If you really mean just count of result=A, version=* > 100, then it's better to use a subsearch:

index=foo search_text [search index=foo search_text result=A
                      | stats count by version
                      | search count > 100
                      | fields version
| chart count by result version

Re: Filter a chart?


This worked perfectly, thanks! I'd previously tried the subsearch approach, but since I'm actually searching through a few hundred million records, the subsearch would always time out; the eventstats approach was just the trick.

