Hello everyone, I'm just beginning to use Splunk and iIwant to do this :
    
I already tried this :
index="************" 
|fields tag, id
| mvexpand tag
|dedup tag
|chart limit=0 dc(id)  by id, tag
|replace 1 with "X"
|replace 0 with ""
But it doesn't work like I want, I lost some data when I dedup on tag...
What am I doing wrong? Could you help me?
Thank you for your time !
 
					
				
		
Just add this:
| chart count OVER _time BY tag
| fields - NULL
| replace 1 with "*" 0 with ""
 
					
				
		
We had to leave a blank value in there to have that day with no tags remain in the chart.
Here's a run anywhere sample...
| gentimes start=07/31/17 end=8/1/17
| eval mydata="+10d,a b c d e f!!!!+11d,b e f!!!!+12d,c e a d!!!!+13d,a c f!!!!+14d,f!!!!+15d,b!!!!+16d,((none))!!!!+17d,g" 
| makemv DELIM="!!!!" mydata
| mvexpand mydata
| makemv DELIM="," mydata
| eval _time=relative_time(starttime,mvindex(mydata,0))
| eval tag=split(mvindex(mydata,1)," ")
| table _time tag
| mvexpand tag
| eval unit=1
| eval tag=if(tag="((none))"," ",tag)
| chart limit=0 eval(case(tag=" "," ",max(unit)>0,"X",true(),null())) over _time by tag
...with these results... (there is a blank column to the left of a)....
_time             a  b  c  d  e  f  g  
2017-08-10        X  X  X  X  X  X    
2017-08-11           X        X  X    
2017-08-12        X     X  X  X      
2017-08-13        X     X        X    
2017-08-14                       X    
2017-08-15           X            
2017-08-16                     
2017-08-17                          X  
 
					
				
		
I don't think you should be doing dedup. If your tag field is multivalued field and you want to show combinations of a id and tag, don't do dedup. Remove it and see if gives the output you want.
