Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to use the chart command optional argument "format"

klee310
Communicator
‎05-28-2014 09:27 PM

hi, i'm looking at the documentation (http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/Chart) and I'm wondering how I can format my chart-table output?

I have a search similar to this:

earliest=5/12/2014:00:00:00 latest=5/13/2014:00:00:00 index=test1 | stats sum(duration) AS duration by type city | eventstats sum(duration) AS city_duration by city | appendpipe [ stats sum(duration) AS duration by type | eval city="ALL" | eventstats sum(duration) AS city_duration by city ] | eval p_duration=round(duration*100/city_duration, 4)." %" | chart limit=0 last(duration) AS Total last(p_duration) AS Percent by type city

The output I am getting has column headers, for example:

Type   Total:New York Total:Buffalo   Total:Toronto ... Percent:New York   Percent:Buffalo   Percent:Toronto

But instead, I'm looking for a result set with the following column headers:

Type New York:Total New York:Percent ...

essentially, I want the Total/Percent to be displayed after the city name. I'm looking at the format optional argument and I can't seem to make it work. Any help or examples greatly appreciated!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jhupka
Path Finder
‎05-28-2014 09:40 PM

You would do something like this:

index=* earliest=-5m | chart format="$VAL$:$AGG$"  count, first(_time) by host, splunk_server

Note that this is something new in Splunk 6...if you're on Splunk 5 you'll get an error about the format option.

View solution in original post

Reply
Solved! Jump to solution
Solution

jhupka
Path Finder
‎05-28-2014 09:40 PM

You would do something like this:

index=* earliest=-5m | chart format="$VAL$:$AGG$"  count, first(_time) by host, splunk_server

Note that this is something new in Splunk 6...if you're on Splunk 5 you'll get an error about the format option.

Reply
Solved! Jump to solution

klee310
Communicator
‎05-29-2014 04:08 AM

great, i'll give it a shot. thanks for the help!

0 Karma
Reply
Solved! Jump to solution

jhupka
Path Finder
‎05-28-2014 10:55 PM

Would something like this pattern be sufficient...you end up with rows of each tuple. Example using the search I had above:

index=* earliest=-5m | eval marker=splunk_server." - ".host | chart count, first(_time) as timestamp by marker

Example with the last part of your search:

... | eval marker=city."=".type | chart limit=0 last(duration) AS Total last(p_duration) AS Percent by marker

Reply
Solved! Jump to solution

klee310
Communicator
‎05-28-2014 10:33 PM

thanks for the note on the version. didn't notice that before. yes, I'm on Splunk 5... so is there any other way? since format is not supported on Splunk 5?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...