Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I create a stacked bar chart with my data set?

dantu
Explorer
‎12-22-2015 09:05 AM

Hi Guys,

I have the following data set that i retrieve using a search : 

host           calltype       count

pc4bwsoap03 odata/v2       4931
pc4bwsoap03 sfapi/v1       134
pc4bwsoap03 api/oauth     13
pc4bwsoap03 xi/ajax     9
pc4bwsoap03 api/cdp     9
pc4bwsoap04 sfapi/v1    642
pc4bwsoap04 odata/v2      449
pc4bwsoap04 api/oauth     28
pc4bwsoap04 xi/ajax     24
pc4bwsoap04 api/cdp     23

Now in this you see the reappearance across multiple hosts of something like odata/v2 , sfapi/v1

Now how do I generate a stacked graph for this so that one of the axis is the host and it has one bar which represents the 2nd column instead of multiple bars?

Thank you
Dan

0 Karma
Reply

woodcock
Esteemed Legend
‎12-22-2015 03:41 PM

What is your search to generate this data?

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎12-22-2015 09:11 AM

Not sure of you main search, but this might help you:

 <your_search>  | contingency host calltype useother=f

This will provide a table of the counts by host and calltype. You can then use a Stacked bar chart to visualize the data.

There is an alternative to contingency in case you need to do a more advanced calculation. 

<your_search> | chart sum(counts) by host over calltype

This should return the same table, to use in the graph.

0 Karma
Reply

dantu
Explorer
‎12-22-2015 10:38 AM

Thanks for that.

the search that i am doing is a simple one. I have created a field extraction to extract the 2nd column of that table.

So when you actually do a top limit=5 it shows that there are two types for it .

Would it work then?

Thank you
Dan

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎12-22-2015 05:57 PM

Ah ok, so I think you are pulling that table as a single event. In that case:

<your_search_to_find_the_event> | rex field=_raw "(?<host>[^\s]+)\s+(?<calltype>[^\s]+)\s+(?<count>\d+)(?:[\r\n]+)?" max_match=0 | <contingency_or_chart_as above>
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...