Splunk Search

i have a results which has order status across many system. i want to group by order status with system in bar graph

Builder

status1 status2 status3 status4 status5
complete failed complete complete failed
cancelled inprogress failed success null
Null delivery in progress failed complete

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@premranjithj, following is the run anywhere search based on your data. If it is coming from CSV in exact same format that you have provided, this should be one of the ways to plot your result. If your raw events are in different format than provided(like individual events with timestamp and field names/possible extraction for both System and Status, there might actually be better way to write this query)

| makeresults
| eval System1="complete"
| eval System2="failed"
| eval System3="complete"
| eval System4="complete"
| eval System5="failed"
| append [| makeresults
          | eval System1="cancelled"
          | eval System2="inprogress"
          | eval System3="failed"
          | eval System4="success"
          | eval System5="null"]
| append [| makeresults
          | eval System1="null"
          | eval System2="delivery"
          | eval System3="inprogress"
          | eval System4="failed"
          | eval System5="complete"]
| fields - _time
| stats list(System*) as System*
| transpose header_field="column" column_name="System"
| rename "row 1" as "Status"
| mvexpand Status
| chart count over System by Status

Query till | fields - _time is used to mock the data in the question. Remaining query is your answer.
Additionally, you will need bar chart options as per my previous comment:

 <option name="charting.chart">bar</option>
 <option name="charting.chart.stackMode">stacked</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

@premranjithj, following is the run anywhere search based on your data. If it is coming from CSV in exact same format that you have provided, this should be one of the ways to plot your result. If your raw events are in different format than provided(like individual events with timestamp and field names/possible extraction for both System and Status, there might actually be better way to write this query)

| makeresults
| eval System1="complete"
| eval System2="failed"
| eval System3="complete"
| eval System4="complete"
| eval System5="failed"
| append [| makeresults
          | eval System1="cancelled"
          | eval System2="inprogress"
          | eval System3="failed"
          | eval System4="success"
          | eval System5="null"]
| append [| makeresults
          | eval System1="null"
          | eval System2="delivery"
          | eval System3="inprogress"
          | eval System4="failed"
          | eval System5="complete"]
| fields - _time
| stats list(System*) as System*
| transpose header_field="column" column_name="System"
| rename "row 1" as "Status"
| mvexpand Status
| chart count over System by Status

Query till | fields - _time is used to mock the data in the question. Remaining query is your answer.
Additionally, you will need bar chart options as per my previous comment:

 <option name="charting.chart">bar</option>
 <option name="charting.chart.stackMode">stacked</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Builder

@niketnilay but it takes only 100 results. i have 200 value but it take only 100 results

0 Karma

SplunkTrust
SplunkTrust

Are you monitoring 200 systems? Try changing mvexpand limit to 200 in your case.

| mvexpand Status limit=200

Let me know if it does not work.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

@premranjithj, You will have to provide more details of your data and fields. Since your intention is to have various Order Status groups by system, I will assume field names status and system.

<YourBaseSearchIndexAndSourcetype> status=* system=*
| chart count over system by status

You would need to turn on Stack mode for bar chart.

    <option name="charting.chart">bar</option>
    <option name="charting.chart.stackMode">stacked</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Builder

System1 SYSTem2 system3 system4 system5
complete faile complete complete failed
cancelled inprogress failed success null
Null delivery in progress failed complete

all the system are with different name. i want to group each system with status.
ex: system 1 with status in a group by barchart

0 Karma