Re: chart totals for series of columns

mcaulsc · ‎12-17-2020

I seem to have tied myself in a knot.

I have data similar to:

h1 h2 h3 h4

a 12 123 231

a 32 45 678

b 43 56 78

What I want is a chart of the totals for h2, h3 and h4, it's probably stunningly easy but for the life of me I can't get it.

thanks.

mcaulsc · ‎12-17-2020

I managed to get what I want with the below in the end, is there a more compact solution?

| chart sum(h1) as Hour1 sum(h2) as Hour2 sum(h3) as Hour3 sum(h4) as Hour4 ....... by extract_date

to4kawa · ‎12-17-2020

What's your whole query?

mcaulsc · ‎12-17-2020

not much else to it just pulling the data from an index:

index=my_index sourcetype=mysrc Database=ABC* extract_date=12/11/20| chart sum(h1) as Hour1 sum(h2) as Hour2 sum(h3) as Hour3 sum(h4) as Hour4 ....... by extract_date

to4kawa · ‎12-17-2020

What is the meaning of your compact?

If it's fast, there shouldn't be any problem.

to4kawa · ‎12-17-2020

|makeresults
| eval _raw="h1  h2   h3    h4
a    12  123  231
a    32  45    678
b   43   56   78"
| multikv forceheader=1
| table h*
| fillnull total
| rename h1 as _h1
| foreach h* [eval total=total+<<FIELD>>]
| stats sum(total) as total by _h1
| rename _h1 as h1

I'm not sure what you want. but how about this?

chart totals for series of columns

chart

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

chart totals for series of columns

chart

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!