Solved: Formatting a Search for a Stacked Bar Graph

zachary_hickman · ‎05-14-2013

I've been reading into the splunk documentation, but I'm having trouble formatting a search so that I can use it in a stacked bar graph

Among other data, in this file, some events are logged as such:

%timestamp% - UArateLimit userAgent="%userAgent%" COUNT=%count%

Basically, for each day (there may be multiple logs for each useragent per day, so the final bar graph should have summed counts), I would like to stack the separate useragents and based on their counts.

How can I set up the search so that this is is possible? Thanks!

sdaniels · ‎05-14-2013

I think you are looking for something like below, based on your data, with 'count' and 'useragent' being your fields.

<your search> | bucket _time span=1d |stats count(Count) by userAgent

View solution in original post

sdaniels · ‎05-14-2013

I think you are looking for something like below, based on your data, with 'count' and 'useragent' being your fields.

<your search> | bucket _time span=1d |stats count(Count) by userAgent

Formatting a Search for a Stacked Bar Graph

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025

Are you a member of the Splunk Community?

Formatting a Search for a Stacked Bar Graph

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025