Splunk Search

How to create a new field after using the chart command

Contributor

Hi Ninjas,

I have a search which produces a bar chart comparing four different fields week over week:

index=foo conversion_source=Online OR conversion_source=Offline 
| bin span=1w _time
| chart sum(ABC) AS ABC sum(DEF) AS DEF sum(GHI) AS GHI sum(JKL) AS JKL over _time by conversion_source
| transpose
| search column!=_*
| rename "row 1" AS "Current Week" "row 2" AS "Past Week" column AS "Conversion Source"

Here is the bar chart:
alt text

It is ok but the customer wants something a little fancier, like a Bubble Chart or a Punchcard, e.g.
alt text

To use the Punchard viz, I need to re-format the output from the following:

Conversion Source   Current Week    Past Week
ABC: Offline         40262         37334
ABC: Online       36997        36233
DEF: Offline         253865       216674
DEF: Online       561871          572597
GHI: Offline         356971       398079
GHI: Online       243909          226444
JKL: Offline         1275880         1284603
JKL: Online       1225050        1165302

to this:

date            type            count
Current Week    ABC: Offline    40262
Current Week    ABC: Online  36997
Current Week    DEF: Offline    253865
Current Week    DEF: Online  561871
Current Week    GHI: Offline    356971
Current Week    GHI: Online  243909
Current Week    JKL: Offline    1275880
Current Week    JKL: Online  1225050
Past Week      ABC: Offline 37334
Past Week      ABC: Online   36233
Past Week      DEF: Offline 216674
Past Week      DEF: Online   572597
Past Week      GHI: Offline 398079
Past Week      GHI: Online   226444
Past Week      JKL: Offline 1284603
Past Week      JKL: Online   1165302

I would greatly appreciate any tips on how to achieve this new tabular output.

Thanks in advance,

Luke.

Tags (2)
1 Solution

SplunkTrust
SplunkTrust

EDIT - second time's the charm.

index=foo conversion_source=Online OR conversion_source=Offline 
 | bin span=1w _time
 | chart sum(ABC) AS ABC sum(DEF) AS DEF sum(GHI) AS GHI sum(JKL) AS JKL over _time by conversion_source
 | untable date type count

View solution in original post

SplunkTrust
SplunkTrust

EDIT - second time's the charm.

index=foo conversion_source=Online OR conversion_source=Offline 
 | bin span=1w _time
 | chart sum(ABC) AS ABC sum(DEF) AS DEF sum(GHI) AS GHI sum(JKL) AS JKL over _time by conversion_source
 | untable date type count

View solution in original post

Contributor

Thank you Nick!!!11!!!!!1!!!

untable did the trick, which reminds me of the undead 😉

0 Karma