|stats count(sum) as a grouped TIMECHART

TCK101 · ‎12-18-2018

Hello
...query

| bucket span=1month _time 
| eval date=strftime(_time, "%Y/%m/%d ") 
|stats count sum(2017_totals) as "Last_Year" sum(2018_totals) as "This_Year"  by  date county

Example Results:

The count is the number of the rows - e..g sales
Last_year is the SUM of totals for that month / year
This_year is the SUM of totals for that month / year

date                country      count     Last_Year      This_Year

2018/12/01     UK                27         300                400
2018/12/01     USA              22          200               350
2018/12/01     CHINA         12           150               200
2018/11/01     UK                 33           250             300
2018/11/01     USA              24           205            360
2018/11/01     CHINA           18           140           190

How can I get this in a chart where date is the X axis and group by COUNTRY

At the moment, the chart is just showing One country count and Last_Year This_Year as a bar chart

I wanted the chart to be something like X axis is time and with EACH country and its values in a bar.

somesoni2 · ‎12-18-2018

Give this a try

...query
| bucket span=1month _time 
| chart count sum(2017_totals) as "Last_Year" sum(2018_totals) as "This_Year" by _time county limit=0

|stats count(sum) as a grouped TIMECHART

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!