Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display charts based on condition by some field

avni26
Explorer
‎02-06-2020 12:00 AM

Hi ,
I want to display two charts , one column and line chart in single panel based on condition.
For example, if result=found then column chart based on user for all months and when result="not found" then line chart based on user
My data is like,
Users result Jan Feb Mar Apr May Jun July .. Dec
ABC found 100 102 103 102 100 105 200... 70
ABC Not-Found 20 50 22 30 60 22 43 .... 10
XYZ found 120 80 70 ..........................................
XYZ Not-Found 24 30 15 .........................................

Now, want to display coulmn chart when result=found ,x-axis (Months) and in Y-axis (months Value) by Users and
in same panel want to show line chart when result=not found , ,x-axis (Months) and in Y-axis (months Value) by Users

Please suggest.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-06-2020 04:34 PM 
| gentimes start=01/01/2019 
| rename starttime as _time 
| timechart span=1month count 
| eval time = strftime(_time ,"%b") 
| table time count 
| transpose 0 header_field=time column_name=Users 
| table Users Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 
| eval user=mvrange(0,4) 
| mvexpand user 
| foreach * [ eval <<FIELD>> = random() % 100 + 10]
| streamstats count 
| eval result=if(count % 2 = 1,"found","Not_Found") 
| eval Users=if(count <= 2,"ABC","XYZ") 
| table Users result Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
`comment("this is your sample. From here, the logic")`
| eval tmp=Users.":".result
| fields - Users result
| transpose 0 header_field=tmp column_name=month

Visualization >> Column Chart with overlay ABC:Not_Found and XYZ:Not_Found

Hi, folks. how about this?

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Taruchit
Contributor
‎03-18-2022 02:56 AM

Hi All,

How can we apply if else condition to following chart command such that if the value in a cell is 0, the cell is empty else it displays the cell content.

| chart sum(field1) OVER field2 BY field3

The above command gives a tabular result with field2 values on Y axis, field3 values on X axis, and sum(field1) data in cells for each field2 and field3. 

I want to keep the cells which evaluate to sum(field1)=0, but want to keep those cells empty.

Thank you

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎02-06-2020 04:34 PM 
| gentimes start=01/01/2019 
| rename starttime as _time 
| timechart span=1month count 
| eval time = strftime(_time ,"%b") 
| table time count 
| transpose 0 header_field=time column_name=Users 
| table Users Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 
| eval user=mvrange(0,4) 
| mvexpand user 
| foreach * [ eval <<FIELD>> = random() % 100 + 10]
| streamstats count 
| eval result=if(count % 2 = 1,"found","Not_Found") 
| eval Users=if(count <= 2,"ABC","XYZ") 
| table Users result Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
`comment("this is your sample. From here, the logic")`
| eval tmp=Users.":".result
| fields - Users result
| transpose 0 header_field=tmp column_name=month

Visualization >> Column Chart with overlay ABC:Not_Found and XYZ:Not_Found

Hi, folks. how about this?

0 Karma
Reply
Solved! Jump to solution

avni26
Explorer
‎02-07-2020 12:59 AM

@to4kawa Thanks, it worked perfectly as per my requirement.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-06-2020 02:22 PM

You could use post process searches in your dashboard and feed 2 post process searches to each of the visualization.

Base search:

Your base search giving fields Users result Jan Feb...
| eval temp=Users."##".result | fields - Users result
| untable temp month valueForMonth
| rex field=temp "(?<Users>.+)##(?<result>.+)" | fields - temp
| stats sum(valueForMonth) as valueForMonth by month result

Post process 1 - for column chart

| where result="found" | table month valueForMonth

Post process 2 - for line chart

| where result="No-found" | table month valueForMonth

For example on how to write post process searches for dashboard, refer to this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/Savedsearches#Examples_2 (first example is close to what you need)

0 Karma
Reply
Solved! Jump to solution

13tsavage
Communicator
‎02-06-2020 09:06 AM

You do not want to chart individual users correct? Because that could be a MASSIVELY long chart if you have hundreds of users.

You just want a TOTAL COUNT of users found and not found?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...