Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to chart a line visual?

CodingMaestro
Path Finder
‎02-23-2023 01:06 AM

So I currently have a stats sum donuts for the last 90 days and i am getting the following results like below

sum(donuts)
54000

 

But i need a line chart to show the total number of donuts (sum (donuts) field)  for the last 90 days but just on  a 4 weeks interval. So i should have something like below

CodingMaestro_0-1677143093712.png

I have a field for the lastEaten date but that shows how many were eaten on that specific date. 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-23-2023 02:04 PM

My original intention was for you to replace the last stats command with the timechart command I gave, but now that I see the full query I know that will not work.

You asked for a chart with a 4-week interval, but that requires a time field (preferably _time), which your query does not have.  Well, it appears to be missing, but the ... may be masking its presence.

Modify the query to pass _time through to the end and then the timechart command will be able to graph the results for you.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-23-2023 06:00 AM 
| timechart span=4w sum(donuts) as Total
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎02-23-2023 10:39 AM

CodingMaestro_0-1677177519263.png

I am getting no results found

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-23-2023 10:40 AM

Please share the query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎02-23-2023 10:53 AM

index.....
| stats latest(...) latest(....) latest(....) by .....
| rename latest(*) as *
| eval eaten_90d = case(isnull(daysSince), null(), daysSince < 90, 1, 1=1, 0)
|eval eaten_30d = case(isnull(daysSince), null(), daysSince < 30, 1, 1=1, 0)
|eval eaten_60d = case(isnull(daysSince), null(), daysSince < 60, 1, 1=1, 0)
| stats dc(....) as Donuts sum(....) as Disabled sum(eaten_90d) as 90d_eaten sum(eaten_30d) as 30d_eaten sum(eaten_60d) as 60d_eaten by ... Donuts
| lookup ..... id as ..... OUTPUT......
| lookup .... OUTPUT ......
| search .....
| sort ....
| search 90d_eaten=0 AND 60d_eaten=0 AND 30d_eaten=0
| stats sum(Donuts)

0 Karma
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎02-23-2023 10:54 AM

i tried adding your timechart command after the last line but it did not work

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-23-2023 02:04 PM

My original intention was for you to replace the last stats command with the timechart command I gave, but now that I see the full query I know that will not work.

You asked for a chart with a 4-week interval, but that requires a time field (preferably _time), which your query does not have.  Well, it appears to be missing, but the ... may be masking its presence.

Modify the query to pass _time through to the end and then the timechart command will be able to graph the results for you.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

CodingMaestro
Path Finder
‎02-24-2023 12:25 AM

Perfect, Thank You

0 Karma
Reply
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...