Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to group by count with a stacked chart?

r34220
Explorer
‎04-29-2016 10:52 AM

I have the following search...

  index="server_inventory" NOT "OS Name"=enclosure NOT "OS Name"=na NOT "OS Name"=unknown| eval Mfg=lower(Mfg) | eval "OS Name"=lower('OS Name')| replace windows* with windows | replace microsoft* with windows | replace red* with linux | replace rhel* with linux | replace hp-ux* with linux | replace esx* with esx | replace aix* with linux | replace centos* with linux | replace "oracle linux" with linux | replace sunos* with linux | replace other* with linux| replace unbun* with linux | replace open* with linux | replace vmware* with vmware | replace freebsd* with linux | replace esx* with vmware | replace as* with linux | replace ubuntu* with linux| replace ibm* with linux| replace suse* with linux | replace solaris* with linux|stats count, by "Physical Location _NXP SiteID","OS Name"

This gives me the output of "Physical Location", "OS Name", "Count"....

AZ34     linux             8
AZ34     windows           13
AZ50     "hp non-stop"     1
AZ50     linux             131
AZ50     vmware            4
AZ50     windows           65
AZ84     "hp non-stop"     1
AZ84      linux            290
AZ84     vmware            16
AZ84     windows           257

...

I would like to produce a stacked chart with the "Physical Location" grouped as the X axis with the "OS Name" stacked for each "OS Name" for Y axis.

Does this make sense? Thanks for your help in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-29-2016 11:02 AM

It sounds like you're looking to use the chart command instead of the stats command, something like:

... | chart count over "Physical Location _NXP SiteID" by "OS Name"

perhaps? (I might have my over and by terms flipped).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎04-29-2016 11:02 AM

Like this

index="server_inventory" NOT "OS Name"=enclosure NOT "OS Name"=na NOT "OS Name"=unknown| eval Mfg=lower(Mfg) | eval "OS Name"=lower('OS Name')| replace windows* with windows | replace microsoft* with windows | replace red* with linux | replace rhel* with linux | replace hp-ux* with linux | replace esx* with esx | replace aix* with linux | replace centos* with linux | replace "oracle linux" with linux | replace sunos* with linux | replace other* with linux| replace unbun* with linux | replace open* with linux | replace vmware* with vmware | replace freebsd* with linux | replace esx* with vmware | replace as* with linux | replace ubuntu* with linux| replace ibm* with linux| replace suse* with linux | replace solaris* with linux|chart count, over "Physical Location _NXP SiteID" by "OS Name"
0 Karma
Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎04-29-2016 11:02 AM

It sounds like you're looking to use the chart command instead of the stats command, something like:

... | chart count over "Physical Location _NXP SiteID" by "OS Name"

perhaps? (I might have my over and by terms flipped).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...