I am new to Splunk, so this question might be straight forward! I am looking to create a stacked chart by day.
This is the search that worked for 1 column, I am looking to add many more columns in addition to Mobile, i.e. 720P, 1080P. So the strings are OutputProfile-720P, OutputProfile-1080P. What is the best way to create Time chart with 3 columns and then create a stacked bar chart.
"OutputProfile-Mobile" NOT "Failed" | timechart count(host) as "Mobile"
Thanks very much for your help!
Thanks very much, this was very helpful!
I had just a couple more questions -
Convert the current search to summary index search, schedule the search to run every day 1 am or 2 am to get yesterday's data and store it in summary index.
Create another search to get data from the summary index, and in your dashboard do the search with time chart span=1m for year. the search will be faster.
Create a Advanced dashboard with time component so that with custom time you can make your search to run.
Yes its case sensitive, I dont know some how its not showing my backslash and uppercase were gone i dont know, hopefully this comment displays my search properly...:)
search "OutputProfile-720P" OR "OutputProfile-1080P" NOT "Failed" | rex "OutputProfile-(?
MOBILE_TYPE at the end has to be lower-case, as field names are case-sensitive. You could make that search even more generic with
"OutputProfile-720P" OR "OutputProfile-1080P" OR "OutputProfile-Mobile" NOT "Failed" | rex "OutputProfile-(?
It's not quite as straight forward as you might think. The timechart command can only accept one 'split by" series, kind of like this
timechart count by field
So you need to create a single field that reflects the type of data. There are lots of ways to do this, but I suggest this as a starting point:
Create an eventtype for each profile. For example, run the following search and then save it as an eventtype named "Mobile" ("Create Eventtype" in 4.3)
"OutputProfile-Mobile" NOT "Failed"
After you have created the eventtypes, run the following search
eventtype=Mobile OR eventtype=P720 OR eventtype=P1080 | timechart count(host) by eventtype
count(host) actually means "count the number of events that have a value for the host field", and not "count the number of unique hosts." I mention this because it is often a point of confusion.