Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get a Line Chart with 3 Split by Clauses?

mstark31
Path Finder
‎07-19-2017 12:52 PM

I have a set of lab samples that have a Percent value measured in 3 different locations across the sample, identified as A, B, and C. Each sample is also associated with a different style.

My end goal is to have a line chart with SampleID on the x-axis and Pct on the y-axis with a set 3 different data series for each of the locations A, B, and C for each style. (So Style1PctA, Style1PctB, Style1PctC, Style2PctA, Style2PctB, Style2PctC,...)
Then, I want to use Trellis view to separate by Style, so I'd have a graph with the series for A, B, and C for each Style.

My search is as follows:

| stats avg(Pct) as Pct by SampleID, Location, Style

which of course gives me a table that contains the following fields: SampleID, Location, Style, Pct.
This results in a graph with 3 series: Location, Style, and Pct, but Pct is the only one that shows up on the graph and there is no differentiation by Location or Style.
From there, I can Trellis by Style, but there is no differentiation by Location.

I know that I can accomplish this by doing a separate search (or using a token) to filter by Style before graphing, but then I have to hard-code each of my Styles into either an input on a dashboard, or a series of graphs.

| search Style=123
| stats avg(Pct) as Pct by SampleID, Location

Is there a better way to accomplish this?

Reply

mstark31
Path Finder
‎07-19-2017 01:17 PM

That second block of code should say chart on line 2 instead of stats

0 Karma
Reply

somesoni2
Revered Legend
‎07-19-2017 01:00 PM

GIve this a try

....| stats avg(Pct) as Pct by SampleID, Location, Style | eval Loc_Style=Location.":".Stype
| chart avg(Pct) over SampleID by Loc_Style
0 Karma
Reply

mstark31
Path Finder
‎07-19-2017 01:14 PM

Thank you. While this does work to get all the data series on a single chart, it does not work if I want to do a trellis view separating by Style.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...