Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a bar chart from a field that contai...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dan_pudwell
Explorer
02-01-2016
01:36 AM
I am trying to create a bar chart from a field that could have 0 or multiple values delimited with ;
An example of the data is:
{"auditSource":"frontend","auditType":"Results","eventId":"4a99edaf-cc97-4e19-9146-1a2a4cb90856","tags":{"clientIP":""},"detail":{"successful":"false","errorCodes":"56004;56003"},"generatedAt":"2016-01-28T21:50:35.320Z"}
So I know that detail.errorCodes will give me the value '56004;56003', but I'm not sure how to separate these and create a bar chart from the result.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
02-01-2016
06:35 AM
Would the following work for you?
| yoursearch
| eval code = split('detail.errorCodes', ";")
| mvexpand code
| stats count by code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
02-01-2016
06:35 AM
Would the following work for you?
| yoursearch
| eval code = split('detail.errorCodes', ";")
| mvexpand code
| stats count by code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dan_pudwell
Explorer
02-01-2016
08:02 AM
Hello, cheers for the answer. However it doesn't work. It says "'Field 'code' does not exist in the data."
It just returns all the events matching the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
javiergn
Super Champion
02-01-2016
08:17 AM
That's because i forgot the single quotes with the field name.
I've fixed my answer above. Please try again:
| yoursearch
| eval code = split('detail.errorCodes', ";")
| mvexpand code
| stats count by code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dan_pudwell
Explorer
02-01-2016
08:29 AM
Awesome! works great, Thanks!
Get Updates on the Splunk Community!
.conf25 Community Recap
Hello Splunkers,
And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...
Splunk App Developers | .conf25 Recap & What’s Next
If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...
Congratulations to the 2025-2026 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
