Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I display more than one Multivalue fields in a stacked column chart?

manish095
New Member
‎04-13-2020 04:07 PM

I have a table having many multi-value fields.
For example: items, cp and sp are multivalue fields. Using the following command
...| table items,cp,sp
say,we have the following table as an ouput
Events ---- items ----cp---sp
1 

       item1     5    6
       item2     7    4
       item3     8    9

2

       item1     53    62
       item2     17    14
       item3     89    90

3

        item5     50   55
        item6     17    14
        item7     110    90

My intent is to use stacked column chart such that each column is an item column having cp and sp values stacked and the items should be grouped by events. Different events can be considered as time,at different time cost/selling price of an item may differ.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-13-2020 05:35 PM 
| makeresults 
| eval _raw="Events,Items,Cp,Sp
1,item1,5,6
1,item2,7,4
1,item3,8,9
2,item1,53,62
2,item2,17,14
2,item3,89,90
3,item5,50,55
3,item6,17,14
3,item7,110,90" 
| multikv forceheader=1
| stats list(Items) as items list(Cp) as cp list(Sp) as sp by Events
| rename COMMENT as "this is sample. from here, the logic"
| eval counter=mvrange(0,mvcount(items))
| mvexpand counter
| foreach items cp sp [ eval <<FIELD>>=mvindex('<<FIELD>>' ,counter)]
| table  items cp sp
0 Karma
Reply

manish095
New Member
‎04-14-2020 02:04 PM

Actually I was able to convert those multivalue fieds into single value and break it as row-wise and show it as column chart row wise. But this is not my requirement. I need a stacked column chart having all the multivalue fields stacked in the column,and the column should be the item. These columns should be grouped event-wise. Event is not any field here,consider it as time.

So basically I need that table only which i have put in the question...| table items,cp,sp shows the table but if i see it as stacked column chart ,it doesn't show up.
You can check my requirement in the following image.
Thanks

0 Karma
Reply

to4kawa
Ultra Champion
‎04-14-2020 02:18 PM

I made column chart like your image.
check Viz >> Format

0 Karma
Reply

manish095
New Member
‎04-14-2020 02:44 PM

Thanks for the prompt reply. Yes,your solution is giving the chart but as I said I want the items to be grouped , the solution is showing it as an individual bar. Grouped stacked column chart is my requirement, grouped by events.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-14-2020 03:05 PM

what's stacked? cp and sp ?
grouped
column chart doesn't have this option.

0 Karma
Reply

manish095
New Member
‎04-14-2020 03:22 PM

yes. cp and sp are stacked,they are fine. Okay so you are saying those stacked column charts can't be grouped per event?

0 Karma
Reply

to4kawa
Ultra Champion
‎04-15-2020 02:02 AM

default column chart can't group it.

0 Karma
Reply

manish095
New Member
‎04-15-2020 09:58 AM

okay..thanks..I also couldn't figure out any way to do so

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...