hello splunkers,
We are trying to get the chart over for multiple fields sample as below , we are not able to get it, kindly help us on how to query it.
Month Country Sales count
01 A 10
02 B 30
03 C 20
04 D 10
Thanks in advance
Jyothi
try this -
| timechart span=1mon count by country | join _time [search | timechart span=1mon sum(sales)]
Your field names are beyond awful (the values aren't too great either) but try this:
... | stats dc("Ticket ID") AS "Sales count" BY "Calendar Year /Month" Country
thanks to all , got the output
try this -
| timechart span=1mon count by country | join _time [search | timechart span=1mon sum(sales)]
this helped me and gave some output but not the way totally i'm looking for 01.2017 calendar year to display as Jan 2017,
feb 2017,
instead that way it is displaying as 2012-03, my data doesn't contain 2012 at all which is as below.
_time Incident NULL Service Request
2012-03 3992 5 0
2012-04 0 0 0
2012-05 0 0 0
2012-06 0 0 0
2012-07 0 0 0
2012-08 0 0 0
2012-09 0 0 0
2012-10 0 0 0
2012-11
still getting the same result with no change , we have the below fields. 1.2017 is Jan 2017 and 2.2017 is feb 2017......month on x axis and no.of tickets on y axis .
Calendar Year_Month Country No.of Tickets
1.2017 USA 10
2.2017 MX 20
3.2017 UK 40
urgent to produce the dashboard, kindly help me. thanks in advance
hmmm ... your data needs more explanation. Are your trying sales or ticket counts? can you povide a sample of your true raw data and what exactly you need? _time wont take your custom time field, but there is a way to make a time chart of your custom time field. You need to provide a more clear sample of your data. Trust me it is not as difficult as it looks, just need your data sample to actually look into the fields and formats your have and what you exactly need....
hello colleagues,
Below is the raw data , from the below i would like to know no.of tickets created in the month of january (01.2017) per country. thanks in advance.
Ticket ID Ticket Type Calendar Year /Month Country
500235 Service Request 01.2017 Berlin
500235 Service Request 01.2017 Berlin
400238 Service Request 01.2017 USA
500242 Service Request 01.2017 Mexico
50024 Service Request 01.2017 Japan
50024 Service Request 01.2017 Japan
40024 Service Request 01.2017 Japan
40024 Service Request 01.2017 India
50024 Service Request 03.2017 India
50024 Service Request 03.2017 India
50024 Service Request 01.2017 India
50024 Service Request 02.2017 Japan
40024 Service Request 02.2017 Japan
40024 Service Request 02.2017 Mexico
50024 Service Request 02.2017 Mexico
If I understand what you need, will something like this work:
|eval month_country=Month+"|"+Country
|chart count by month_country Sales
|rex field=month_country "(?<Month>\d+)\|(?<Country>.*)"
|fields - month_country
month and country are not same fields, month is different fiel, country is different field and sales count is different filed. looking to have on' x' axis month wise and on 'y' axis sales and country with different colors on bar chart. color Bar to represent each country.
Kindly help it to get me with query.
Regards,
Jyothi
try this syntax and let me know if the output is close what you're looking for :
|makeresults |eval data="month=1,country=A,salescount=10 month=2,country=B,salescount=30 month=3,country=C,salescount=20 month=4,country=D,salescount=10"| makemv data | mvexpand data | rename data as _raw | kv|eval{country}=salescount|fields - country salescount _time _raw|fields month *
if so, take your syntax and add |rename "Sales Count" as salescount|eval{Country}=salescount|fields - Country salescount|fields month *
to it.
Like this:
... | stats count AS "Sales count" sum(count) AS "Sum count" BY date_month Country
it didn't help, we want exactly moth wise, country wise sales count. please help on query
Regards,
Jyothi
Try this:
... | stats count AS "Sales count" sum(count) AS "Sum count" values(Country) BY date_month
BTW, your question is vague and you did not supply any usable sample data, nor an unambiguous mockup of the final goal. This means that it is very difficult for people to help and much time is likely to be wasted. Ask questions better to get better answers.