Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use the chart command optional argument "format"

klee310
Communicator
‎05-28-2014 09:27 PM

hi, i'm looking at the documentation (http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Chart) and I'm wondering how I can format my chart-table output?

I have a search similar to this:

earliest=5/12/2014:00:00:00 latest=5/13/2014:00:00:00 index=test1 | stats sum(duration) AS duration by type city | eventstats sum(duration) AS city_duration by city | appendpipe [ stats sum(duration) AS duration by type | eval city="ALL" | eventstats sum(duration) AS city_duration by city ] | eval p_duration=round(duration*100/city_duration, 4)." %" | chart limit=0 last(duration) AS Total last(p_duration) AS Percent by type city

The output I am getting has column headers, for example:

Type   Total:New York Total:Buffalo   Total:Toronto ... Percent:New York   Percent:Buffalo   Percent:Toronto

But instead, I'm looking for a result set with the following column headers:

Type New York:Total New York:Percent ...

essentially, I want the Total/Percent to be displayed after the city name. I'm looking at the format optional argument and I can't seem to make it work. Any help or examples greatly appreciated!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jhupka
Path Finder
‎05-28-2014 09:40 PM

You would do something like this:

index=* earliest=-5m | chart format="$VAL$:$AGG$"  count, first(_time) by host, splunk_server

Note that this is something new in Splunk 6...if you're on Splunk 5 you'll get an error about the format option.

View solution in original post

Reply
Solved! Jump to solution
Solution

jhupka
Path Finder
‎05-28-2014 09:40 PM

You would do something like this:

index=* earliest=-5m | chart format="$VAL$:$AGG$"  count, first(_time) by host, splunk_server

Note that this is something new in Splunk 6...if you're on Splunk 5 you'll get an error about the format option.

Reply
Solved! Jump to solution

klee310
Communicator
‎05-29-2014 04:08 AM

great, i'll give it a shot. thanks for the help!

0 Karma
Reply
Solved! Jump to solution

jhupka
Path Finder
‎05-28-2014 10:55 PM

Would something like this pattern be sufficient...you end up with rows of each tuple. Example using the search I had above:

index=* earliest=-5m | eval marker=splunk_server." - ".host | chart count, first(_time) as timestamp by marker

Example with the last part of your search:

... | eval marker=city."=".type | chart limit=0 last(duration) AS Total last(p_duration) AS Percent by marker

Reply
Solved! Jump to solution

klee310
Communicator
‎05-28-2014 10:33 PM

thanks for the note on the version. didn't notice that before. yes, I'm on Splunk 5... so is there any other way? since format is not supported on Splunk 5?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...