Solved: Formatting a Search for a Stacked Bar Graph

zachary_hickman · ‎05-14-2013

I've been reading into the splunk documentation, but I'm having trouble formatting a search so that I can use it in a stacked bar graph

Among other data, in this file, some events are logged as such:

%timestamp% - UArateLimit userAgent="%userAgent%" COUNT=%count%

Basically, for each day (there may be multiple logs for each useragent per day, so the final bar graph should have summed counts), I would like to stack the separate useragents and based on their counts.

How can I set up the search so that this is is possible? Thanks!

sdaniels · ‎05-14-2013

I think you are looking for something like below, based on your data, with 'count' and 'useragent' being your fields.

<your search> | bucket _time span=1d |stats count(Count) by userAgent

View solution in original post

sdaniels · ‎05-14-2013

I think you are looking for something like below, based on your data, with 'count' and 'useragent' being your fields.

<your search> | bucket _time span=1d |stats count(Count) by userAgent

Formatting a Search for a Stacked Bar Graph

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

Formatting a Search for a Stacked Bar Graph

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...