Splunk Search
Highlighted

Timechart Field Name Change

Motivator

Hi, I wonder whether someone may be able to help me please.

I've put together the query below.

index=main auditSource=frontend auditType=ExitSurvey | timechart span=1W count(eventId) by detail.manageClient | addtotals label=Total | rename 1 as "Very Good", 2 as "Good", 3 as "Neutral", 4 as "Bad", 5 as "Very Bad"

Could someone tell me please how I can change the row field from the time value to the field name i.e detail.manageClient

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Timechart Field Name Change

Communicator

Hi Chris,
Just wanted to clarify what you wanted to do, as timechart will always output the rows with the time as the first column (it aggregates the data into the timespans specified by the span command.)
If you wanted to just have the weeks horizontally and the values by detail.manageClient as the rows, try the transpose command.

0 Karma
Highlighted

Re: Timechart Field Name Change

Motivator

Hi @kmugglet, thank you for taking the time to reply to my post, and my apologies for not being as clear as I should have been.

To be honest I don't really need the time column at all, but using the 'timechart' was the only way I could manage to have the feedback results i.e "Very Good" as the column headings.

I have looked at the 'transpose' command, but unfortunately this doesn't work because it now adds rows for span and span days?

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Timechart Field Name Change

Communicator

Hi Chris,

If you just wanted to have no time column you could just add

 | fields - _time

to the end

However this might be more what you're looking for.

index=main auditSource=frontend auditType=ExitSurvey  | bin span=1W _time | eval date=strftime(_time,"%F") | chart count(eventId) over detail.manageClient by date | addtotals label=Total |  eval detail_ManageClient = case(detail_ManageClient==1,"Very Good",detail_ManageClient==2,"Good", detail_ManageClient==3,"Neutral", detail_ManageClient==4,"Bad", detail_ManageClient==5,"Very Bad")

That will spin your results around, does the 1w span actually matter? Is it a grouping level you need?

Cheers, Keith

0 Karma
Highlighted

Re: Timechart Field Name Change

Motivator

Hi Keith, thank you very much for coming back to me with this.

I'll try to explain a little better than I have already.

I have three questions (detail.ManageClient, detail.Payment and detail.Recommend) which all have a rating of 1 to 5.

What I'd like to do is have the three questions one under neath each other as row headings.

I'd then like to have as my columns headings 1, 2, 3, 4 and 5.

Then the data in the table would be the total for each question under each rating.

I hope this helps and my apologies for not being clearer in my original post.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Timechart Field Name Change

Esteemed Legend

Back up and ditch timechart and use xyseries instead; then you should be able to make it work on your own (if not, comment on my answer):

https://answers.splunk.com/answers/93327/xyseries-vs-chart-over-by.html

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Xyseries

0 Karma
Highlighted

Re: Timechart Field Name Change

Motivator

Hi @woodcock, thank you for taking the time to come back to me with this.

I've had a look at the links you provided plus a whole host of posts around multiple data series, and to be honest I'm still struggling with this.

I couldn't understand how to set the xyseries command for multiple data series, so I've come up with the following:

index=main auditSource=frontend auditType=ExitSurvey detail.manageClientList="*"| chart count over tags.path by detail.manageClient |replace /agent/survey With "Manage Client Ratings Totals" |  rename tags.path AS "GDS Rating" |addtotals label=Total

Unfortunately, although this displays the figures for the first of three questions i.e. "Manage Client" I'm still unable to add the two other questions so that they fall under the same columns as the first.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: Timechart Field Name Change

Esteemed Legend

Based on your clarification, you need the contingency command to build a contingency table (you are really going to like this!)

If you have or can create a field called "question" which has either {detail.manageClient, detail.Payment, detail.Recommend}, then you can do it like this:

... | contingency tags.path question

If not, you should be able to do it like this:

 index=main auditSource=frontend auditType=ExitSurvey | contingency tags.path detail.manageClient | append
 [search index=main auditSource=frontend auditType=ExitSurvey | contingency tags.path detail.Payment] | append
 [search index=main auditSource=frontend auditType=ExitSurvey | contingency tags.path detail.Recommend]

View solution in original post

Highlighted

Re: Timechart Field Name Change

Motivator

Hi @woodcock, I really appreciate you coming back to me with this.

The problem I now have is rather than producing one horizontal 'Overall' total at the end of the questions, there is a total line under each question.

Could you tell me please is there a way to overcome this?

And yes you are correct I do like this!

Many thanks and kind regards

0 Karma
Highlighted

Re: Timechart Field Name Change

Esteemed Legend

Just add this to the original solution:

| where tags.path detail.manageClient!="TOTAL" AND tags.path detail.Payment!="TOTAL" AND tags.path detail.Recommend!="TOTAL" | fillnull value=0 | addtotals col=t | fillnull value="TOTAL"
0 Karma