Splunk Search

How to convert from horse shoe to stacked bar chart?

sphiwee
Contributor

I have the below SPL with the regex, which i was using as a horse shoe visualization, but im trying to convert it to a stacked bar graph with the log level per process log level should have different colours for the different log levels red-ERROR, green for info blue for debuf etc.. should be trellis visual..


index="intau_workfusion" sourcetype=workfusion.out.log host=*
| rex "^(?<Date>\d+-\d+-\d+\s+\d+:\d+:\d+)\s+\[[^\]]*\]\s*\[(?<Process>[^\]]*)\]\s*\[(?<Step>[^\]]*)\]\s*\[(?<User>[^\]]*)\]\s*[^\[]+\s\[(?<Log_level>[^\]]+)"
| search Log_level="ERROR"
| where Process != ""
| eval hour=strftime(_time,"%H")
| where hour >= 5 AND hour < 18
| eval day=strftime(_time,"%w")
| where day >= 1 AND day <= 5
| bin _time span=1d
| stats count AS ERRORS by Process
| sort - count asc

Labels (6)
0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...