Splunk Search

How do you chart two unrelated numbers?

tmaurst
Engager

I am completely stumped as to how to chart two numbers.

I have two counts from two searches. I simply want to chart them side by side.

sourcetype=mySource AND first string I'm looking for | stats count as firstCount | appendcols [search sourcetype=mySource AND second string I'm looking for | stats count as secondCount] | chart <how to chart firstCount and secondCount on bar graph?>

The counts are fine and are returning the expected values. I just can't figure out how to chart them together. For instance, if I have the numbers 5 and 10, how can those show up on a simple numbered x-axis together in bar graph form?

Thanks

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You don't need two searches. Put both conditions into the base search then use an eval to create a field that distinguishes each. Use that field in the chart command to show the counts. Depending on your data, there may be other ways to do the eval (a unique field in each, for instance).

sourcetype=mySource ("first string I'm looking for" OR "second string I'm looking for") 
| eval split=if(match(_raw, ".*first string I'm looking for.*"), "first", "second") | chart count by split
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=mySource AND ("first string" OR "second string")
| stats count(eval(searchmatch("first string"))) AS firstCount count(eval(searchmatch("seconds string"))) AS secondCount

The rest is a matter of picking the right visualization and configuration options for it.

0 Karma

tmaurst
Engager

Thanks. Why should we always use an index? I'm guessing performance related but can you be more specific as to why?

0 Karma

woodcock
Esteemed Legend

When you are not referencing an index in your search, you are relying on the Indexes searched by default setting that your admins control so this setting can be changed at any time without notice and varies from role-to-role. This means that your search could behave very differently from user to user at the same time or for the same user across time. This is absurdly risky and negligent on your part.

tmaurst
Engager

Makes sense.

0 Karma

woodcock
Esteemed Legend

Be sure to spread around the UpVotes to helpful answers and comments and click Accept to close your question.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You don't need two searches. Put both conditions into the base search then use an eval to create a field that distinguishes each. Use that field in the chart command to show the counts. Depending on your data, there may be other ways to do the eval (a unique field in each, for instance).

sourcetype=mySource ("first string I'm looking for" OR "second string I'm looking for") 
| eval split=if(match(_raw, ".*first string I'm looking for.*"), "first", "second") | chart count by split
---
If this reply helps you, Karma would be appreciated.
0 Karma

tmaurst
Engager

This works, thank you. For a bonus... when one of the counts is 0, it will not have a bar on the graph. Is there a way to force a placement for this, such that the 0 value is conveyed? Otherwise it's not apparent that two values are being compared.

0 Karma

woodcock
Esteemed Legend

Ask a new question.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...