Splunk Search

How to create a new field after using the chart command

lukeh
Contributor

Hi Ninjas,

I have a search which produces a bar chart comparing four different fields week over week:

index=foo conversion_source=Online OR conversion_source=Offline 
| bin span=1w _time
| chart sum(ABC) AS ABC sum(DEF) AS DEF sum(GHI) AS GHI sum(JKL) AS JKL over _time by conversion_source
| transpose
| search column!=_*
| rename "row 1" AS "Current Week" "row 2" AS "Past Week" column AS "Conversion Source"

Here is the bar chart:
alt text

It is ok but the customer wants something a little fancier, like a Bubble Chart or a Punchcard, e.g.
alt text

To use the Punchard viz, I need to re-format the output from the following:

Conversion Source   Current Week    Past Week
ABC: Offline         40262         37334
ABC: Online       36997        36233
DEF: Offline         253865       216674
DEF: Online       561871          572597
GHI: Offline         356971       398079
GHI: Online       243909          226444
JKL: Offline         1275880         1284603
JKL: Online       1225050        1165302

to this:

date            type            count
Current Week    ABC: Offline    40262
Current Week    ABC: Online  36997
Current Week    DEF: Offline    253865
Current Week    DEF: Online  561871
Current Week    GHI: Offline    356971
Current Week    GHI: Online  243909
Current Week    JKL: Offline    1275880
Current Week    JKL: Online  1225050
Past Week      ABC: Offline 37334
Past Week      ABC: Online   36233
Past Week      DEF: Offline 216674
Past Week      DEF: Online   572597
Past Week      GHI: Offline 398079
Past Week      GHI: Online   226444
Past Week      JKL: Offline 1284603
Past Week      JKL: Online   1165302

I would greatly appreciate any tips on how to achieve this new tabular output.

Thanks in advance,

Luke.

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

EDIT - second time's the charm.

index=foo conversion_source=Online OR conversion_source=Offline 
 | bin span=1w _time
 | chart sum(ABC) AS ABC sum(DEF) AS DEF sum(GHI) AS GHI sum(JKL) AS JKL over _time by conversion_source
 | untable date type count

View solution in original post

sideview
SplunkTrust
SplunkTrust

EDIT - second time's the charm.

index=foo conversion_source=Online OR conversion_source=Offline 
 | bin span=1w _time
 | chart sum(ABC) AS ABC sum(DEF) AS DEF sum(GHI) AS GHI sum(JKL) AS JKL over _time by conversion_source
 | untable date type count

lukeh
Contributor

Thank you Nick!!!11!!!!!1!!!

untable did the trick, which reminds me of the undead 😉

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...