Splunk Search

Stacked Chart totaling all instances of an event.

GratefulDude
Explorer

I'm having a bit of trouble finishing up a report

I'm trying to give a report of how long users were logged into a system over the course of a day. Sometimes a user logs in multiple times. I want to have a stacked chart showing each time a user logged in added together.

I have:

source="*usermonitor*.log" "usermanager reports user * logged" | rex "usermanager reports user (?P<USER>[^\.]*) logged " |search USER="*"  | transaction USER startswith="logged in, reply " endswith="logged out, reply "   | eval Hours=round(duration/3600,2) |chart values(Hours) by USER

The results show exactly what I want. A list like:


User1     2.5
User2     3.1
User3     2.8
          1.5
User4     7.4

etc.


Now when I "Show Report", I only see values on the chart for Users with only 1 entry and I can't make it a "Stacked" chart to total them all.

Of course, doing a "|chart sum(Hours) by USER" gives me the correct totals for all of the users, but I lose the individual values.

Any Suggestions?

Tags (2)
0 Karma

Stephen_Sorkin
Splunk Employee
Splunk Employee

The problem here is that the charting subsystem requires that stacked elements be in different series in the table. Your search has to yield something like:

User  1   2
----- --- ---
User1 2.5
User2 3.1
User3 2.8 1.5
User4 7.4

You can convert your table to one like this by renaming values(Hour) to vals and adding at the end:

 | mvexpand vals | eval counter=1 | streamstats sum(counter) as instance by clientip | chart first(vals) as val by USER instance

Here we break each user into their individual values, use streamstats to accumulate an instance count, and reformulate the chart using the USER and instance.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...