Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Joining 3 sets of results from 2 indexes to graph
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
peterkn
Explorer
11-26-2015
11:09 PM
Say in table A I have just 1 column result:
Animal:
Chicken
Chicken
Cow
Cat
Cow
Cow
Dog
My query of "stats count by Animal" Would return me with:
Chicken 2
Cow 3
Cat 1
Dog 1
Now I have table B
Animal Name Age:
Cat Mick 3
Cat
Dog Mike 1
Dog Moose
I would like to join the results to make a multi-column bar graph (or a stacked bar graph) with the following result (Animal,Animal Count, Has_name, Has Age)
Cow 3 X Y, Cat 1 X Y, Dog 1 X Y
where X is the number of the respective animal instance that appear in table B with a Name specified. Y is with an Age specified
So the final table would be
Cow 3 0 0, Cat 1 1 1, Dog 1 2 1
and as a result, the multi-column graph would have 3 grouped columns of Cow, Cat and Dog.
Any suggestion/help is greatly appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-27-2015
11:37 AM
Like this (adjust to find your way of accessing the data, instead of faking it like I did):
|noop|stats count AS Animal|eval Animal="Chicken,Chicken,Cow,Cat,Cow,Cow,Dog"|makemv delim="," Animal | mvexpand Animal | stats count BY Animal
| appendpipe [|noop|stats count AS Animal|eval Animal="1,2,3,4"|makemv delim="," Animal | mvexpand Animal
| eval Name=case(Animal=1, "Mick", Animal=3, "Mike", Animal=4, "Moose")
| eval Age=case(Animal=1, "3", Animal=3, "1")
| eval Animal=case(Animal<3, "Cat", true(), "Dog") | stats count(*) AS * BY Animal]
| stats values(*) AS * BY Animal | fields Animal count Name Age | rename Age AS withAges Name AS withNames
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-27-2015
11:37 AM
Like this (adjust to find your way of accessing the data, instead of faking it like I did):
|noop|stats count AS Animal|eval Animal="Chicken,Chicken,Cow,Cat,Cow,Cow,Dog"|makemv delim="," Animal | mvexpand Animal | stats count BY Animal
| appendpipe [|noop|stats count AS Animal|eval Animal="1,2,3,4"|makemv delim="," Animal | mvexpand Animal
| eval Name=case(Animal=1, "Mick", Animal=3, "Mike", Animal=4, "Moose")
| eval Age=case(Animal=1, "3", Animal=3, "1")
| eval Animal=case(Animal<3, "Cat", true(), "Dog") | stats count(*) AS * BY Animal]
| stats values(*) AS * BY Animal | fields Animal count Name Age | rename Age AS withAges Name AS withNames
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chimell
Motivator
11-27-2015
01:08 AM
hi peterkn
can you send your xml code ?
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
