Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group by count with a stacked chart?

r34220
Explorer
‎04-29-2016 10:52 AM

I have the following search...

  index="server_inventory" NOT "OS Name"=enclosure NOT "OS Name"=na NOT "OS Name"=unknown| eval Mfg=lower(Mfg) | eval "OS Name"=lower('OS Name')| replace windows* with windows | replace microsoft* with windows | replace red* with linux | replace rhel* with linux | replace hp-ux* with linux | replace esx* with esx | replace aix* with linux | replace centos* with linux | replace "oracle linux" with linux | replace sunos* with linux | replace other* with linux| replace unbun* with linux | replace open* with linux | replace vmware* with vmware | replace freebsd* with linux | replace esx* with vmware | replace as* with linux | replace ubuntu* with linux| replace ibm* with linux| replace suse* with linux | replace solaris* with linux|stats count, by "Physical Location _NXP SiteID","OS Name"

This gives me the output of "Physical Location", "OS Name", "Count"....

AZ34     linux             8
AZ34     windows           13
AZ50     "hp non-stop"     1
AZ50     linux             131
AZ50     vmware            4
AZ50     windows           65
AZ84     "hp non-stop"     1
AZ84      linux            290
AZ84     vmware            16
AZ84     windows           257

...

I would like to produce a stacked chart with the "Physical Location" grouped as the X axis with the "OS Name" stacked for each "OS Name" for Y axis.

Does this make sense? Thanks for your help in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-29-2016 11:02 AM

It sounds like you're looking to use the chart command instead of the stats command, something like:

... | chart count over "Physical Location _NXP SiteID" by "OS Name"

perhaps? (I might have my over and by terms flipped).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎04-29-2016 11:02 AM

Like this

index="server_inventory" NOT "OS Name"=enclosure NOT "OS Name"=na NOT "OS Name"=unknown| eval Mfg=lower(Mfg) | eval "OS Name"=lower('OS Name')| replace windows* with windows | replace microsoft* with windows | replace red* with linux | replace rhel* with linux | replace hp-ux* with linux | replace esx* with esx | replace aix* with linux | replace centos* with linux | replace "oracle linux" with linux | replace sunos* with linux | replace other* with linux| replace unbun* with linux | replace open* with linux | replace vmware* with vmware | replace freebsd* with linux | replace esx* with vmware | replace as* with linux | replace ubuntu* with linux| replace ibm* with linux| replace suse* with linux | replace solaris* with linux|chart count, over "Physical Location _NXP SiteID" by "OS Name"
0 Karma
Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-29-2016 11:02 AM

It sounds like you're looking to use the chart command instead of the stats command, something like:

... | chart count over "Physical Location _NXP SiteID" by "OS Name"

perhaps? (I might have my over and by terms flipped).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...