Splunk Search
Highlighted

How to edit my serach to display count in a column chart?

Path Finder

HI,
I have the following search:

sourcetype=* | chart count(eval(status="info")) AS info, count(eval(status="Error")) AS error, count(eval(status="warn")) AS warn by sourcetype

If I wish to display the count in a column chart, what will be the changes for my search? thks

Tags (3)
0 Karma
Highlighted

Re: How to edit my serach to display count in a column chart?

Splunk Employee
Splunk Employee

The best way is to reduce the data set first and then enumerate by the data points involved.

In this scenario, we assume that all of your sourcetypes understand the meta field status. The following is best to reduce the data set:

* (status="error" OR status="info" OR status="warning")

The second step is to count the desired meta field and then align by the result and the associate data point. In other words:

| chart count(status) by source status

That produces a table like this:

alt text

The end result is the ability to use that data in a column (or bar) chart as follows:

alt text

Makes sense?

Highlighted

Re: How to edit my serach to display count in a column chart?

Path Finder

Hi, I can display what i want using my own query, it just that i wish to display for each column e.g display count=9 for jbridge error, 675 for splunkd error etc. thks

0 Karma
Highlighted

Re: How to edit my serach to display count in a column chart?

Motivator

effectiment your command works right but the problem with you is that the c values of the field "status" that you use inside al are certainly not good values because generally the "status" field takes the following values:
200 201; 204; 303; 304; 400; 401; 404; 500
Continued; failure ; skipped success ......

see my example to better understand:
sourcetype=* | chart count(eval(status=200)) AS info, count(eval(status="400")) AS error, count(eval(status="500")) AS warn by sourcetype

see picture below
alt text

or if you want youn can use case function like this :
sourcetype=*|eval des=case(status>=200 AND status<300,"infos",status>=300 AND status<400,"infos2",status>=400 AND status<500,"infos4",status>=500,"infos4") | chart count(status) by des, sourcetype

see this link: http://answers.splunk.com/answers/152683/is-it-possible-to-show-values-in-the-column-bar-chart.html#...
to see values in the column/bar chart.

Highlighted

Re: How to edit my serach to display count in a column chart?

Contributor
0 Karma