Splunk Search

How do I display more than one Multivalue fields in a stacked column chart?

New Member

I have a table having many multi-value fields.
For example: items, cp and sp are multivalue fields. Using the following command
...| table items,cp,sp
say,we have the following table as an ouput
Events ---- items ----cp---sp
1

       item1     5    6
       item2     7    4
       item3     8    9   

2

       item1     53    62
       item2     17    14
       item3     89    90 

3

        item5     50   55
        item6     17    14
        item7     110    90

My intent is to use stacked column chart such that each column is an item column having cp and sp values stacked and the items should be grouped by events. Different events can be considered as time,at different time cost/selling price of an item may differ.

0 Karma

SplunkTrust
SplunkTrust
| makeresults 
| eval _raw="Events,Items,Cp,Sp
1,item1,5,6
1,item2,7,4
1,item3,8,9
2,item1,53,62
2,item2,17,14
2,item3,89,90
3,item5,50,55
3,item6,17,14
3,item7,110,90" 
| multikv forceheader=1
| stats list(Items) as items list(Cp) as cp list(Sp) as sp by Events
| rename COMMENT as "this is sample. from here, the logic"
| eval counter=mvrange(0,mvcount(items))
| mvexpand counter
| foreach items cp sp [ eval <<FIELD>>=mvindex('<<FIELD>>' ,counter)]
| table  items cp sp
0 Karma

New Member

Actually I was able to convert those multivalue fieds into single value and break it as row-wise and show it as column chart row wise. But this is not my requirement. I need a stacked column chart having all the multivalue fields stacked in the column,and the column should be the item. These columns should be grouped event-wise. Event is not any field here,consider it as time.

So basically I need that table only which i have put in the question...| table items,cp,sp shows the table but if i see it as stacked column chart ,it doesn't show up.
You can check my requirement in the following image.
Thanks

0 Karma

SplunkTrust
SplunkTrust

I made column chart like your image.
check Viz >> Format

0 Karma

New Member

Thanks for the prompt reply. Yes,your solution is giving the chart but as I said I want the items to be grouped , the solution is showing it as an individual bar. Grouped stacked column chart is my requirement, grouped by events.

0 Karma

SplunkTrust
SplunkTrust

what's stacked? cp and sp ?
grouped
column chart doesn't have this option.

0 Karma

New Member

yes. cp and sp are stacked,they are fine. Okay so you are saying those stacked column charts can't be grouped per event?

0 Karma

SplunkTrust
SplunkTrust

default column chart can't group it.

0 Karma

New Member

okay..thanks..I also couldn't figure out any way to do so

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!