Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Stacked Chart totaling all instances of an event.

GratefulDude
Explorer
‎06-09-2010 07:42 PM

I'm having a bit of trouble finishing up a report

I'm trying to give a report of how long users were logged into a system over the course of a day. Sometimes a user logs in multiple times. I want to have a stacked chart showing each time a user logged in added together.

I have: 

source="*usermonitor*.log" "usermanager reports user * logged" | rex "usermanager reports user (?P<USER>[^\.]*) logged " |search USER="*"  | transaction USER startswith="logged in, reply " endswith="logged out, reply "   | eval Hours=round(duration/3600,2) |chart values(Hours) by USER

The results show exactly what I want. A list like:

User1     2.5
User2     3.1
User3     2.8
          1.5
User4     7.4

etc.

Now when I "Show Report", I only see values on the chart for Users with only 1 entry and I can't make it a "Stacked" chart to total them all.

Of course, doing a "|chart sum(Hours) by USER" gives me the correct totals for all of the users, but I lose the individual values.

Any Suggestions?

Tags (2)
0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-15-2010 09:11 PM

The problem here is that the charting subsystem requires that stacked elements be in different series in the table. Your search has to yield something like:

User  1   2
----- --- ---
User1 2.5
User2 3.1
User3 2.8 1.5
User4 7.4

You can convert your table to one like this by renaming values(Hour) to vals and adding at the end:

 | mvexpand vals | eval counter=1 | streamstats sum(counter) as instance by clientip | chart first(vals) as val by USER instance

Here we break each user into their individual values, use streamstats to accumulate an instance count, and reformulate the chart using the USER and instance.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...