Splunk Search
Highlighted

chart over multiple fields

New Member

hello splunkers,

We are trying to get the chart over for multiple fields sample as below , we are not able to get it, kindly help us on how to query it.

Month Country  Sales count
01     A       10
02     B       30
03     C       20
04     D       10 

Thanks in advance
Jyothi

0 Karma
Highlighted

Re: chart over multiple fields

Esteemed Legend

Like this:

... | stats count AS "Sales count" sum(count) AS "Sum count" BY date_month Country
0 Karma
Highlighted

Re: chart over multiple fields

New Member

it didn't help, we want exactly moth wise, country wise sales count. please help on query

Regards,
Jyothi

0 Karma
Highlighted

Re: chart over multiple fields

Esteemed Legend

Try this:

... | stats count AS "Sales count" sum(count) AS "Sum count" values(Country) BY date_month

BTW, your question is vague and you did not supply any usable sample data, nor an unambiguous mockup of the final goal. This means that it is very difficult for people to help and much time is likely to be wasted. Ask questions better to get better answers.

0 Karma
Highlighted

Re: chart over multiple fields

Super Champion

If I understand what you need, will something like this work:

|eval month_country=Month+"|"+Country
|chart count by month_country Sales
|rex field=month_country "(?<Month>\d+)\|(?<Country>.*)"
|fields - month_country
0 Karma
Highlighted

Re: chart over multiple fields

New Member

month and country are not same fields, month is different fiel, country is different field and sales count is different filed. looking to have on' x' axis month wise and on 'y' axis sales and country with different colors on bar chart. color Bar to represent each country.

Kindly help it to get me with query.

Regards,
Jyothi

0 Karma
Highlighted

Re: chart over multiple fields

Super Champion

try this syntax and let me know if the output is close what you're looking for :

|makeresults |eval data="month=1,country=A,salescount=10 month=2,country=B,salescount=30 month=3,country=C,salescount=20 month=4,country=D,salescount=10"| makemv data | mvexpand data | rename data as _raw | kv|eval{country}=salescount|fields - country salescount _time _raw|fields month *

if so, take your syntax and add |rename "Sales Count" as salescount|eval{Country}=salescount|fields - Country salescount|fields month * to it.

0 Karma
Highlighted

Re: chart over multiple fields

Champion

try this -

| timechart span=1mon count by country | join _time [search | timechart span=1mon sum(sales)]

View solution in original post

Highlighted

Re: chart over multiple fields

New Member

this helped me and gave some output but not the way totally i'm looking for 01.2017 calendar year to display as Jan 2017,
feb 2017,
instead that way it is displaying as 2012-03, my data doesn't contain 2012 at all which is as below.

_time Incident NULL Service Request
2012-03 3992 5 0
2012-04 0 0 0
2012-05 0 0 0
2012-06 0 0 0
2012-07 0 0 0
2012-08 0 0 0
2012-09 0 0 0
2012-10 0 0 0
2012-11

0 Karma
Highlighted

Re: chart over multiple fields

New Member

still getting the same result with no change , we have the below fields. 1.2017 is Jan 2017 and 2.2017 is feb 2017......month on x axis and no.of tickets on y axis .

Calendar Year_Month Country No.of Tickets
1.2017 USA 10
2.2017 MX 20
3.2017 UK 40

urgent to produce the dashboard, kindly help me. thanks in advance

0 Karma