Splunk Search

How to create a new field after using the chart command

lukeh
Contributor

Hi Ninjas,

I have a search which produces a bar chart comparing four different fields week over week:

index=foo conversion_source=Online OR conversion_source=Offline 
| bin span=1w _time
| chart sum(ABC) AS ABC sum(DEF) AS DEF sum(GHI) AS GHI sum(JKL) AS JKL over _time by conversion_source
| transpose
| search column!=_*
| rename "row 1" AS "Current Week" "row 2" AS "Past Week" column AS "Conversion Source"

Here is the bar chart:
alt text

It is ok but the customer wants something a little fancier, like a Bubble Chart or a Punchcard, e.g.
alt text

To use the Punchard viz, I need to re-format the output from the following:

Conversion Source   Current Week    Past Week
ABC: Offline         40262         37334
ABC: Online       36997        36233
DEF: Offline         253865       216674
DEF: Online       561871          572597
GHI: Offline         356971       398079
GHI: Online       243909          226444
JKL: Offline         1275880         1284603
JKL: Online       1225050        1165302

to this:

date            type            count
Current Week    ABC: Offline    40262
Current Week    ABC: Online  36997
Current Week    DEF: Offline    253865
Current Week    DEF: Online  561871
Current Week    GHI: Offline    356971
Current Week    GHI: Online  243909
Current Week    JKL: Offline    1275880
Current Week    JKL: Online  1225050
Past Week      ABC: Offline 37334
Past Week      ABC: Online   36233
Past Week      DEF: Offline 216674
Past Week      DEF: Online   572597
Past Week      GHI: Offline 398079
Past Week      GHI: Online   226444
Past Week      JKL: Offline 1284603
Past Week      JKL: Online   1165302

I would greatly appreciate any tips on how to achieve this new tabular output.

Thanks in advance,

Luke.

Tags (2)
1 Solution

sideview
SplunkTrust
SplunkTrust

EDIT - second time's the charm.

index=foo conversion_source=Online OR conversion_source=Offline 
 | bin span=1w _time
 | chart sum(ABC) AS ABC sum(DEF) AS DEF sum(GHI) AS GHI sum(JKL) AS JKL over _time by conversion_source
 | untable date type count

View solution in original post

sideview
SplunkTrust
SplunkTrust

EDIT - second time's the charm.

index=foo conversion_source=Online OR conversion_source=Offline 
 | bin span=1w _time
 | chart sum(ABC) AS ABC sum(DEF) AS DEF sum(GHI) AS GHI sum(JKL) AS JKL over _time by conversion_source
 | untable date type count

lukeh
Contributor

Thank you Nick!!!11!!!!!1!!!

untable did the trick, which reminds me of the undead 😉

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...