Splunk Search
Highlighted

How do I create a stacked bar chart sorted by host.

Builder

I am still learning all the nice functionality in Splunk, but have some trouble with this.

Eks struktur:

Aug 05 09:27:33 palito dog

Here I got two interesting fields:

host=palito
info=dog

Sample data:

Aug 05 09:27 palito dog
Aug 05 09:28 habo cat
Aug 05 09:29 jago horse
Aug 05 09:30 palito cat
Aug 05 09:31 palito cat
Aug 05 09:32 habo cat
Aug 05 09:33 jago horse
Aug 05 09:34 palito horse
Aug 05 09:35 habo dog 

From this I like to get the graph sorted on the info (animal) so I get top 5 animals using this:

 * | top limit=5 info

This give three column, cat=4, dog=2 and horse=3
So far I am full control of the situation.

But then I like to also see the representation of the hosts, so these data gives:

cat 4       palito 2    habo 2
dog 2       palito 1    habo 1
horse 3     palito 1    jago 2

I know how to select format-stacked, but not how to get 3 columns with 4 cat, where I color separate it with 2 palito, and 2 habo etc.
So It should be 3 columns with percent host showing in each of them.

I tried, but not working

 * | top limit=5 info by host

Example on how the three column should look like:

 h
 h              j
 p      h       j
 p      p       p
 --------------------
 cat    dog     horse

Where p,h, and j are different colors.

0 Karma
Highlighted

Re: How do I create a stacked bar chart sorted by host.

Path Finder

Hi,

Try this:

 |  timechart count by host limit=10

If you are on search page:
1. Goto Visualization and select bar chart
2. Select format button
3. Select stack mode as: Stacked

0 Karma
Highlighted

Re: How do I create a stacked bar chart sorted by host.

Builder

This does not help.
It only shows hits over time for each host. I am not interested in time.
I need to see number of each type of animals (info) and each column should show stacked hosts.

0 Karma
Highlighted

Re: How do I create a stacked bar chart sorted by host.

SplunkTrust
SplunkTrust

Try something like this

* | chart count over info by host  | addtotals fieldname="Total" | table info Total * | sort - Total | head 5

This should give you a nice table with info (animal name) as first column, Total (total count) and count by host (as separate columns). Just select stacked option in the visualization and you're set.

Highlighted

Re: How do I create a stacked bar chart sorted by host.

Builder

Thank you, this is relay close to what I need.
To not add Total to every column I removed it, so it looks like this:

 * | chart count over info by host  | addtotals fieldname="Total" | table info Total * | sort - Total | head 5 | field - Total

But I have a problem with addtotals. It sums up all the fields, that is OK, but if the field name is a number, It add the number of the field name to the Total. For me that seems to be a bug. Is three a way around it?

This is what I like to get:

info\host   palito  habo    jago    Total   
-----------------------------------------
cat         2       2               4
dog         1       1               2
82          1               2       3

This is what Splunk gives, look at Total for the 82

info\host   palito  habo    jago    Total   
-----------------------------------------
cat         2       2               4
dog         1       1               2
82          1               2       85
0 Karma