Re: Multiple graphs in line chart

patilsh · ‎06-19-2017

Hello All,

I have a data as below :
Where for every callId there are list of values in next column. So I have some 10 callId and for every callId and I have list of values in column 2

Now I want to plot a line chart , for the values in column 2 such that every callId corresponds to a separate line in visualization.

Can someone please tell me how can we achieve this.

Regards
Shailendra Patil

somesoni2 · ‎06-19-2017

I think you current search ends like this ..| stats list(entryData.LevelIn) by callId. Instead just use like this

your search before the stats | stats avg(entryData.LevelIn)  as AvgLevelIn by callId

patilsh · ‎06-19-2017

index="alpha_all_careport_event" userId="90925fcb-4543-4d9e-87f4-51ab9b4b7cd8"|stats list(eventData.txLevelIn) by callId|rename "list(eventData.txLevelIn)" AS Levelin|mvexpand Levelin|streamstats count AS serial BY callId|chart avg(Levelin) OVER serial BY callId

This is how it ends , its shows as 352 events , but in table i can see 100 only for each

woodcock · ‎06-19-2017

Add this to the bottom of your existing search:

... | rename "list(EventData.txt.Levelin)" AS Levelin
| mvexpand Levelin
| streamstats count AS serial BY callId
| chart avg(Levelin) OVER serial BY callId

patilsh · ‎06-19-2017

Hey, Thanks for the help,

But i can just see 100 events for each ID here ?

Is that a limit ?

woodcock · ‎06-19-2017

There is a limit on list (and values) but I think it is 1000, not 100.

Multiple graphs in line chart

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?