Splunk Search

How to create a bar chart from a field that contains a list of values?

dan_pudwell
Explorer

I am trying to create a bar chart from a field that could have 0 or multiple values delimited with ;

An example of the data is:

{"auditSource":"frontend","auditType":"Results","eventId":"4a99edaf-cc97-4e19-9146-1a2a4cb90856","tags":{"clientIP":""},"detail":{"successful":"false","errorCodes":"56004;56003"},"generatedAt":"2016-01-28T21:50:35.320Z"}

So I know that detail.errorCodes will give me the value '56004;56003', but I'm not sure how to separate these and create a bar chart from the result.

0 Karma
1 Solution

javiergn
Super Champion

Would the following work for you?

| yoursearch
| eval code = split('detail.errorCodes', ";")
| mvexpand code
| stats count by code

View solution in original post

javiergn
Super Champion

Would the following work for you?

| yoursearch
| eval code = split('detail.errorCodes', ";")
| mvexpand code
| stats count by code

dan_pudwell
Explorer

Hello, cheers for the answer. However it doesn't work. It says "'Field 'code' does not exist in the data."
It just returns all the events matching the search.

0 Karma

javiergn
Super Champion

That's because i forgot the single quotes with the field name.
I've fixed my answer above. Please try again:

| yoursearch
| eval code = split('detail.errorCodes', ";")
| mvexpand code
| stats count by code
0 Karma

dan_pudwell
Explorer

Awesome! works great, Thanks!

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...