Solved: Formatting a Search for a Stacked Bar Graph

zachary_hickman · ‎05-14-2013

I've been reading into the splunk documentation, but I'm having trouble formatting a search so that I can use it in a stacked bar graph

Among other data, in this file, some events are logged as such:

%timestamp% - UArateLimit userAgent="%userAgent%" COUNT=%count%

Basically, for each day (there may be multiple logs for each useragent per day, so the final bar graph should have summed counts), I would like to stack the separate useragents and based on their counts.

How can I set up the search so that this is is possible? Thanks!

sdaniels · ‎05-14-2013

I think you are looking for something like below, based on your data, with 'count' and 'useragent' being your fields.

<your search> | bucket _time span=1d |stats count(Count) by userAgent

View solution in original post

sdaniels · ‎05-14-2013

I think you are looking for something like below, based on your data, with 'count' and 'useragent' being your fields.

<your search> | bucket _time span=1d |stats count(Count) by userAgent

Formatting a Search for a Stacked Bar Graph

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!