Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

i have a results which has order status across many system. i want to group by order status with system in bar graph

DataOrg
Builder
‎07-03-2017 01:37 AM

status1 status2 status3 status4 status5
complete failed complete complete failed
cancelled inprogress failed success null
Null delivery in progress failed complete

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-03-2017 04:35 AM

@premranjithj, following is the run anywhere search based on your data. If it is coming from CSV in exact same format that you have provided, this should be one of the ways to plot your result. If your raw events are in different format than provided(like individual events with timestamp and field names/possible extraction for both System and Status, there might actually be better way to write this query)

| makeresults
| eval System1="complete"
| eval System2="failed"
| eval System3="complete"
| eval System4="complete"
| eval System5="failed"
| append [| makeresults
          | eval System1="cancelled"
          | eval System2="inprogress"
          | eval System3="failed"
          | eval System4="success"
          | eval System5="null"]
| append [| makeresults
          | eval System1="null"
          | eval System2="delivery"
          | eval System3="inprogress"
          | eval System4="failed"
          | eval System5="complete"]
| fields - _time
| stats list(System*) as System*
| transpose header_field="column" column_name="System"
| rename "row 1" as "Status"
| mvexpand Status
| chart count over System by Status

Query till | fields - _time is used to mock the data in the question. Remaining query is your answer.
Additionally, you will need bar chart options as per my previous comment:

 <option name="charting.chart">bar</option>
 <option name="charting.chart.stackMode">stacked</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-03-2017 04:35 AM

@premranjithj, following is the run anywhere search based on your data. If it is coming from CSV in exact same format that you have provided, this should be one of the ways to plot your result. If your raw events are in different format than provided(like individual events with timestamp and field names/possible extraction for both System and Status, there might actually be better way to write this query)

| makeresults
| eval System1="complete"
| eval System2="failed"
| eval System3="complete"
| eval System4="complete"
| eval System5="failed"
| append [| makeresults
          | eval System1="cancelled"
          | eval System2="inprogress"
          | eval System3="failed"
          | eval System4="success"
          | eval System5="null"]
| append [| makeresults
          | eval System1="null"
          | eval System2="delivery"
          | eval System3="inprogress"
          | eval System4="failed"
          | eval System5="complete"]
| fields - _time
| stats list(System*) as System*
| transpose header_field="column" column_name="System"
| rename "row 1" as "Status"
| mvexpand Status
| chart count over System by Status

Query till | fields - _time is used to mock the data in the question. Remaining query is your answer.
Additionally, you will need bar chart options as per my previous comment:

 <option name="charting.chart">bar</option>
 <option name="charting.chart.stackMode">stacked</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

DataOrg
Builder
‎07-03-2017 05:20 AM

@niketnilay but it takes only 100 results. i have 200 value but it take only 100 results

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-03-2017 07:10 PM

Are you monitoring 200 systems? Try changing mvexpand limit to 200 in your case.

| mvexpand Status limit=200

Let me know if it does not work.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-03-2017 02:25 AM

@premranjithj, You will have to provide more details of your data and fields. Since your intention is to have various Order Status groups by system, I will assume field names status and system.

<YourBaseSearchIndexAndSourcetype> status=* system=*
| chart count over system by status

You would need to turn on Stack mode for bar chart.

    <option name="charting.chart">bar</option>
    <option name="charting.chart.stackMode">stacked</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

DataOrg
Builder
‎07-03-2017 03:08 AM

System1 SYSTem2 system3 system4 system5
complete faile complete complete failed
cancelled inprogress failed success null
Null delivery in progress failed complete

all the system are with different name. i want to group each system with status.
ex: system 1 with status in a group by barchart

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...