Splunk Search

How do I display more than one Multivalue fields in a stacked column chart?

manish095
New Member

I have a table having many multi-value fields.
For example: items, cp and sp are multivalue fields. Using the following command
...| table items,cp,sp
say,we have the following table as an ouput
Events ---- items ----cp---sp
1

       item1     5    6
       item2     7    4
       item3     8    9   

2

       item1     53    62
       item2     17    14
       item3     89    90 

3

        item5     50   55
        item6     17    14
        item7     110    90

My intent is to use stacked column chart such that each column is an item column having cp and sp values stacked and the items should be grouped by events. Different events can be considered as time,at different time cost/selling price of an item may differ.

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw="Events,Items,Cp,Sp
1,item1,5,6
1,item2,7,4
1,item3,8,9
2,item1,53,62
2,item2,17,14
2,item3,89,90
3,item5,50,55
3,item6,17,14
3,item7,110,90" 
| multikv forceheader=1
| stats list(Items) as items list(Cp) as cp list(Sp) as sp by Events
| rename COMMENT as "this is sample. from here, the logic"
| eval counter=mvrange(0,mvcount(items))
| mvexpand counter
| foreach items cp sp [ eval <<FIELD>>=mvindex('<<FIELD>>' ,counter)]
| table  items cp sp
0 Karma

manish095
New Member

Actually I was able to convert those multivalue fieds into single value and break it as row-wise and show it as column chart row wise. But this is not my requirement. I need a stacked column chart having all the multivalue fields stacked in the column,and the column should be the item. These columns should be grouped event-wise. Event is not any field here,consider it as time.

So basically I need that table only which i have put in the question...| table items,cp,sp shows the table but if i see it as stacked column chart ,it doesn't show up.
You can check my requirement in the following image.
Thanks

0 Karma

to4kawa
Ultra Champion

I made column chart like your image.
check Viz >> Format

0 Karma

manish095
New Member

Thanks for the prompt reply. Yes,your solution is giving the chart but as I said I want the items to be grouped , the solution is showing it as an individual bar. Grouped stacked column chart is my requirement, grouped by events.

0 Karma

to4kawa
Ultra Champion

what's stacked? cp and sp ?
grouped
column chart doesn't have this option.

0 Karma

manish095
New Member

yes. cp and sp are stacked,they are fine. Okay so you are saying those stacked column charts can't be grouped per event?

0 Karma

to4kawa
Ultra Champion

default column chart can't group it.

0 Karma

manish095
New Member

okay..thanks..I also couldn't figure out any way to do so

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...