How do you timechart count for 3 fields where Date...

pavanae · ‎10-31-2018

I have a query as below

| inputlookup sample_lookup.csv | rename "Count Type" as count_type
which gives the result as follows...

Is there any way in Splunk to get a visualization where Date in x axis and Product, count_type and count on y-axis?

niketn · ‎10-31-2018

@pavanae, try the following and confirm:

<yourCurrentSearch>
| fields Date Product count_type count
| eval key=Product."-".count_type
| chart sum(count) as count by Date key

Following is a run anywhere example based on sample data provided in the question:

| makeresults
| eval data="Product=A,count_type=X,Date=10/31/2018,count=72;Product=A,count_type=Y,Date=10/31/2018,count=42;Product=B,count_type=X,Date=10/31/2018,count=12;Product=B,count_type=Y,Date=10/31/2018,count=32;Product=A,count_type=X,Date=10/15/2018,count=172;Product=A,count_type=Y,Date=10/15/2018,count=442;Product=B,count_type=X,Date=10/15/2018,count=62;Product=B,count_type=Y,Date=10/15/2018,count=45"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| fields - _raw _time
| fields Date Product count_type count
| eval key=Product."-".count_type
| chart sum(count) as count by Date key

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

pavanae · ‎10-31-2018

@niketnilay. It's displayed the date on x-axis which is good but all I can see on the y-axis values as NULL.

How do you timechart count for 3 fields where Date is on x-axis and the remaining fields are on y axis?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life