Solved: Show increasing values with dropoff

jlieberg · ‎03-04-2020

I have a data set similar to the following:

"_time",source,increment
"2020-02-26","third",
"2020-02-25","third","yes"
"2020-02-21","third",
"2020-02-20","third","yes"
"2020-02-29","second",
"2020-02-28","second","yes"
"2020-02-27","second","yes"
"2020-02-26","second","yes"
"2020-02-25","second","yes"
"2020-02-24","second","yes"
"2020-02-23","second","yes"
"2020-02-22","second","yes"
"2020-03-01","first",
"2020-02-29","first","yes"

I would like to make this chart with first=blue, second=red, and third=green:

So for each yes in the increment column add 1 to the current count for the source, else reset the count back to 0. If a source does not have a reset column it should continue at the current count to the end of the chart.

Is this possible?

manjunathmeti · ‎03-04-2020

Hi @jlieberg,

Yes, this is possible with below query:

| makeresults 
| eval _raw="time,source,increment
2020-02-26,third,
2020-02-25,third,yes
2020-02-21,third,
2020-02-20,third,yes
2020-02-29,second,
2020-02-28,second,yes
2020-02-27,second,yes
2020-02-26,second,yes
2020-02-25,second,yes
2020-02-24,second,yes
2020-02-23,second,yes
2020-02-22,second,yes
2020-03-01,first,
2020-02-29,first,yes" 
| multikv forceheader=1 
| sort source, time 
| streamstats count(increment) as step by source reset_after="("isnull(increment)")" 
| eval step=if(increment=="yes", step, 0) 
| xyseries time source step

Once you run the search, go to Visualization tab and select Column Chart.

In your search query you can add this:

| eval time=strftime(_time, "%y-%m-%d")
| sort source, time 
| streamstats count(increment) as step by source reset_after="("isnull(increment)")" 
| eval step=if(increment=="yes", step, 0) 
| xyseries time source step

View solution in original post

manjunathmeti · ‎03-04-2020

Hi @jlieberg,

Yes, this is possible with below query:

| makeresults 
| eval _raw="time,source,increment
2020-02-26,third,
2020-02-25,third,yes
2020-02-21,third,
2020-02-20,third,yes
2020-02-29,second,
2020-02-28,second,yes
2020-02-27,second,yes
2020-02-26,second,yes
2020-02-25,second,yes
2020-02-24,second,yes
2020-02-23,second,yes
2020-02-22,second,yes
2020-03-01,first,
2020-02-29,first,yes" 
| multikv forceheader=1 
| sort source, time 
| streamstats count(increment) as step by source reset_after="("isnull(increment)")" 
| eval step=if(increment=="yes", step, 0) 
| xyseries time source step

Once you run the search, go to Visualization tab and select Column Chart.

In your search query you can add this:

| eval time=strftime(_time, "%y-%m-%d")
| sort source, time 
| streamstats count(increment) as step by source reset_after="("isnull(increment)")" 
| eval step=if(increment=="yes", step, 0) 
| xyseries time source step

jlieberg · ‎03-04-2020

Wow, that is really cool! I did change increment=="yes" to !isnull(increment) to be more flexible, but this is a cool solution that I figured had to be possible. My actual date ranges are longer than in this example, and I was hoping I could use some kind of "stepped" area chart that didn't interpolate between points, do you know if that is possible?

Show increasing values with dropoff

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?