Splunk Search
Highlighted

Why cant I chart over multiple fields?

Path Finder

I would imagine it could return multivalue fields, but there could be advantages to being able to chart sum(foo) over _time, field1, field2 by field3. Could mimic a regular pivot table in the right scenario. Is this possible using some other method?

Thanks in advance!

Tags (3)
Highlighted

Re: Why cant I chart over multiple fields?

Motivator

So it's a multidimensional chart your trying to create?

There is a nice time chart solution provided here : http://splunk-base.splunk.com/answers/59045/how-do-i-make-a-multi-dimension-timechart

0 Karma
Highlighted

Re: Why cant I chart over multiple fields?

Path Finder

thanks, take for example (just an example, Im not splunking fruit):

timestamp=10/21/2008 04:16:31 Product=Apples Type=Macintosh key3=purchase value=31 units=dollars

timestamp=10/21/2008 04:18:41 Product=Apples Type=Granny key3=purchase value=118 units=dollars

timestamp=10/21/2008 05:19:30 Product=Apples Type=Macintosh key3=sale value=161 units=dollars

timestamp=10/21/2008 07:48:08 Product=Oranges Type=Navel key3=purchase value=18 units=dollars

I am unable figure out how to (even in a basic table) say: chart sum(value) over Product, Type by key3

Id like to maintain columns for each kv if possible as well for sorting and exporting.

0 Karma
Highlighted

Re: Why cant I chart over multiple fields?

Legend

stats could be your friend here.

0 Karma
Highlighted

Re: Why cant I chart over multiple fields?

Path Finder

Thanks, I can see a row based estimation on as many fields as I want to report on with stats, but what I really need is the columnar format of chart for example:

Product////////Type////////purchase////////sale
Apples/////////Macintosh///31//////////////161
Apples/////////Granny//////118/////////////0
Oranges////////Navel///////18//////////////0

If I use stats, I still need to use xyseries as far as I know and this still only allows for a single x value. Right now Im staging out the additional columns into a file via outputlookup and then joining them back in, but thats too complex. Thanks!