Splunk Search

chart over multiple fields

Jyothik
New Member

hello splunkers,

We are trying to get the chart over for multiple fields sample as below , we are not able to get it, kindly help us on how to query it.

Month Country  Sales count
01     A       10
02     B       30
03     C       20
04     D       10 

Thanks in advance
Jyothi

0 Karma
1 Solution

Sukisen1981
Champion

try this -

| timechart span=1mon count by country | join _time [search | timechart span=1mon sum(sales)]

View solution in original post

woodcock
Esteemed Legend

Your field names are beyond awful (the values aren't too great either) but try this:

 ... | stats dc("Ticket ID") AS "Sales count" BY "Calendar Year /Month" Country
0 Karma

Jyothik
New Member

thanks to all , got the output

0 Karma

Sukisen1981
Champion

try this -

| timechart span=1mon count by country | join _time [search | timechart span=1mon sum(sales)]

Jyothik
New Member

this helped me and gave some output but not the way totally i'm looking for 01.2017 calendar year to display as Jan 2017,
feb 2017,
instead that way it is displaying as 2012-03, my data doesn't contain 2012 at all which is as below.

_time Incident NULL Service Request
2012-03 3992 5 0
2012-04 0 0 0
2012-05 0 0 0
2012-06 0 0 0
2012-07 0 0 0
2012-08 0 0 0
2012-09 0 0 0
2012-10 0 0 0
2012-11

0 Karma

Jyothik
New Member

still getting the same result with no change , we have the below fields. 1.2017 is Jan 2017 and 2.2017 is feb 2017......month on x axis and no.of tickets on y axis .

Calendar Year_Month Country No.of Tickets
1.2017 USA 10
2.2017 MX 20
3.2017 UK 40

urgent to produce the dashboard, kindly help me. thanks in advance

0 Karma

Sukisen1981
Champion

hmmm ... your data needs more explanation. Are your trying sales or ticket counts? can you povide a sample of your true raw data and what exactly you need? _time wont take your custom time field, but there is a way to make a time chart of your custom time field. You need to provide a more clear sample of your data. Trust me it is not as difficult as it looks, just need your data sample to actually look into the fields and formats your have and what you exactly need....

0 Karma

Jyothik
New Member

hello colleagues,

Below is the raw data , from the below i would like to know no.of tickets created in the month of january (01.2017) per country. thanks in advance.

Ticket ID Ticket Type Calendar Year /Month Country
500235 Service Request 01.2017 Berlin
500235 Service Request 01.2017 Berlin
400238 Service Request 01.2017 USA
500242 Service Request 01.2017 Mexico
50024 Service Request 01.2017 Japan
50024 Service Request 01.2017 Japan
40024 Service Request 01.2017 Japan
40024 Service Request 01.2017 India
50024 Service Request 03.2017 India
50024 Service Request 03.2017 India
50024 Service Request 01.2017 India
50024 Service Request 02.2017 Japan
40024 Service Request 02.2017 Japan
40024 Service Request 02.2017 Mexico
50024 Service Request 02.2017 Mexico

0 Karma

cmerriman
Super Champion

If I understand what you need, will something like this work:

|eval month_country=Month+"|"+Country
|chart count by month_country Sales
|rex field=month_country "(?<Month>\d+)\|(?<Country>.*)"
|fields - month_country
0 Karma

Jyothik
New Member

month and country are not same fields, month is different fiel, country is different field and sales count is different filed. looking to have on' x' axis month wise and on 'y' axis sales and country with different colors on bar chart. color Bar to represent each country.

Kindly help it to get me with query.

Regards,
Jyothi

0 Karma

cmerriman
Super Champion

try this syntax and let me know if the output is close what you're looking for :

|makeresults |eval data="month=1,country=A,salescount=10 month=2,country=B,salescount=30 month=3,country=C,salescount=20 month=4,country=D,salescount=10"| makemv data | mvexpand data | rename data as _raw | kv|eval{country}=salescount|fields - country salescount _time _raw|fields month *

if so, take your syntax and add |rename "Sales Count" as salescount|eval{Country}=salescount|fields - Country salescount|fields month * to it.

0 Karma

woodcock
Esteemed Legend

Like this:

... | stats count AS "Sales count" sum(count) AS "Sum count" BY date_month Country
0 Karma

Jyothik
New Member

it didn't help, we want exactly moth wise, country wise sales count. please help on query

Regards,
Jyothi

0 Karma

woodcock
Esteemed Legend

Try this:

... | stats count AS "Sales count" sum(count) AS "Sum count" values(Country) BY date_month

BTW, your question is vague and you did not supply any usable sample data, nor an unambiguous mockup of the final goal. This means that it is very difficult for people to help and much time is likely to be wasted. Ask questions better to get better answers.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...