Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can i create a stacked bar graph showing the different log levels?

sphiwee
Contributor
‎08-18-2023 05:03 AM

How can i create a stacked bar graph showing the different log levels (Error, Info, Debug)  generated by  each  Process 


index="intau_workfusion" sourcetype=workfusion.out.log host=*
| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)"
| search Log_level="*"
| where Process != ""

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2023 08:50 AM

Try using the chart command to get both Log_level and Process in the output.

index="intau_workfusion" sourcetype=workfusion.out.log host=*
| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)"
| search Log_level="*"
| where Process != ""
| chart count over Process by Log_level

 To see the chart, switch to the Visualization tab, choose the "Column Chart" visualization, then select "Stacked" from the Format dropdown.  See the example below.

richgalloway_0-1692373794408.png

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2023 05:27 AM

Charts require a command that produces statistics (chart, stats, timechart, etc.).  Try this

index="intau_workfusion" sourcetype=workfusion.out.log host=*
| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)"
| search Log_level="*"
| where Process != ""
| stats count by Log_level

Then switch to the Visualization tab, choose the Bar Chart visualization, then select the Stacked format.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

sphiwee
Contributor
‎08-18-2023 06:04 AM

I have applied it but but its only showin like this, I want the log level to be stacked and to show according to Process 

sphiwee_0-1692363740674.png

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2023 08:50 AM

Try using the chart command to get both Log_level and Process in the output.

index="intau_workfusion" sourcetype=workfusion.out.log host=*
| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)"
| search Log_level="*"
| where Process != ""
| chart count over Process by Log_level

 To see the chart, switch to the Visualization tab, choose the "Column Chart" visualization, then select "Stacked" from the Format dropdown.  See the example below.

richgalloway_0-1692373794408.png

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...