Splunk Search

How to display charts based on condition by some field

avni26
Explorer

Hi ,
I want to display two charts , one column and line chart in single panel based on condition.
For example, if result=found then column chart based on user for all months and when result="not found" then line chart based on user
My data is like,
Users result Jan Feb Mar Apr May Jun July .. Dec
ABC found 100 102 103 102 100 105 200... 70
ABC Not-Found 20 50 22 30 60 22 43 .... 10
XYZ found 120 80 70 ..........................................
XYZ Not-Found 24 30 15 .........................................

Now, want to display coulmn chart when result=found ,x-axis (Months) and in Y-axis (months Value) by Users and
in same panel want to show line chart when result=not found , ,x-axis (Months) and in Y-axis (months Value) by Users

Please suggest.

Tags (2)
0 Karma
1 Solution

to4kawa
SplunkTrust
SplunkTrust
| gentimes start=01/01/2019 
| rename starttime as _time 
| timechart span=1month count 
| eval time = strftime(_time ,"%b") 
| table time count 
| transpose 0 header_field=time column_name=Users 
| table Users Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 
| eval user=mvrange(0,4) 
| mvexpand user 
| foreach * [ eval <<FIELD>> = random() % 100 + 10]
| streamstats count 
| eval result=if(count % 2 = 1,"found","Not_Found") 
| eval Users=if(count <= 2,"ABC","XYZ") 
| table Users result Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
`comment("this is your sample. From here, the logic")`
| eval tmp=Users.":".result
| fields - Users result
| transpose 0 header_field=tmp column_name=month

Visualization >> Column Chart with overlay ABC:Not_Found and XYZ:Not_Found

Hi, folks. how about this?

View solution in original post

0 Karma

to4kawa
SplunkTrust
SplunkTrust
| gentimes start=01/01/2019 
| rename starttime as _time 
| timechart span=1month count 
| eval time = strftime(_time ,"%b") 
| table time count 
| transpose 0 header_field=time column_name=Users 
| table Users Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 
| eval user=mvrange(0,4) 
| mvexpand user 
| foreach * [ eval <<FIELD>> = random() % 100 + 10]
| streamstats count 
| eval result=if(count % 2 = 1,"found","Not_Found") 
| eval Users=if(count <= 2,"ABC","XYZ") 
| table Users result Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
`comment("this is your sample. From here, the logic")`
| eval tmp=Users.":".result
| fields - Users result
| transpose 0 header_field=tmp column_name=month

Visualization >> Column Chart with overlay ABC:Not_Found and XYZ:Not_Found

Hi, folks. how about this?

View solution in original post

0 Karma

avni26
Explorer

@to4kawa Thanks, it worked perfectly as per my requirement.

0 Karma

somesoni2
Revered Legend

You could use post process searches in your dashboard and feed 2 post process searches to each of the visualization.

Base search:

Your base search giving fields Users result Jan Feb...
| eval temp=Users."##".result | fields - Users result
| untable temp month valueForMonth
| rex field=temp "(?<Users>.+)##(?<result>.+)" | fields - temp
| stats sum(valueForMonth) as valueForMonth by month result

Post process 1 - for column chart

| where result="found" | table month valueForMonth

Post process 2 - for line chart

| where result="No-found" | table month valueForMonth

For example on how to write post process searches for dashboard, refer to this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/Savedsearches#Examples_2 (first example is close to what you need)

0 Karma

13tsavage
Communicator

You do not want to chart individual users correct? Because that could be a MASSIVELY long chart if you have hundreds of users.

You just want a TOTAL COUNT of users found and not found?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!