I am completely stumped as to how to chart two numbers.
I have two counts from two searches. I simply want to chart them side by side.
sourcetype=mySource AND first string I'm looking for | stats count as firstCount | appendcols [search sourcetype=mySource AND second string I'm looking for | stats count as secondCount] | chart <how to chart firstCount and secondCount on bar graph?>
The counts are fine and are returning the expected values. I just can't figure out how to chart them together. For instance, if I have the numbers 5 and 10, how can those show up on a simple numbered x-axis together in bar graph form?
Thanks
You don't need two searches. Put both conditions into the base search then use an eval to create a field that distinguishes each. Use that field in the chart
command to show the counts. Depending on your data, there may be other ways to do the eval
(a unique field in each, for instance).
sourcetype=mySource ("first string I'm looking for" OR "second string I'm looking for")
| eval split=if(match(_raw, ".*first string I'm looking for.*"), "first", "second") | chart count by split
Like this:
index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=mySource AND ("first string" OR "second string")
| stats count(eval(searchmatch("first string"))) AS firstCount count(eval(searchmatch("seconds string"))) AS secondCount
The rest is a matter of picking the right visualization and configuration options for it.
Thanks. Why should we always use an index? I'm guessing performance related but can you be more specific as to why?
When you are not referencing an index in your search, you are relying on the Indexes searched by default
setting that your admins control so this setting can be changed at any time without notice and varies from role-to-role. This means that your search could behave very differently from user to user at the same time or for the same user across time. This is absurdly risky and negligent on your part.
Makes sense.
Be sure to spread around the UpVotes
to helpful answers and comments and click Accept
to close your question.
You don't need two searches. Put both conditions into the base search then use an eval to create a field that distinguishes each. Use that field in the chart
command to show the counts. Depending on your data, there may be other ways to do the eval
(a unique field in each, for instance).
sourcetype=mySource ("first string I'm looking for" OR "second string I'm looking for")
| eval split=if(match(_raw, ".*first string I'm looking for.*"), "first", "second") | chart count by split
This works, thank you. For a bonus... when one of the counts is 0, it will not have a bar on the graph. Is there a way to force a placement for this, such that the 0 value is conveyed? Otherwise it's not apparent that two values are being compared.
Ask a new question.