- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I create a stacked bar chart sorted by host...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I create a stacked bar chart sorted by host.
I am still learning all the nice functionality in Splunk, but have some trouble with this.
Eks struktur:
Aug 05 09:27:33 palito dog
Here I got two interesting fields:
host=palito
info=dog
Sample data:
Aug 05 09:27 palito dog
Aug 05 09:28 habo cat
Aug 05 09:29 jago horse
Aug 05 09:30 palito cat
Aug 05 09:31 palito cat
Aug 05 09:32 habo cat
Aug 05 09:33 jago horse
Aug 05 09:34 palito horse
Aug 05 09:35 habo dog
From this I like to get the graph sorted on the info (animal) so I get top 5 animals using this:
* | top limit=5 info
This give three column, cat=4, dog=2 and horse=3
So far I am full control of the situation.
But then I like to also see the representation of the hosts, so these data gives:
cat 4 palito 2 habo 2
dog 2 palito 1 habo 1
horse 3 palito 1 jago 2
I know how to select format-stacked, but not how to get 3 columns with 4 cat, where I color separate it with 2 palito, and 2 habo etc.
So It should be 3 columns with percent host showing in each of them.
I tried, but not working
* | top limit=5 info by host
Example on how the three column should look like:
h
h j
p h j
p p p
--------------------
cat dog horse
Where p,h, and j are different colors.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
* | chart count over info by host | addtotals fieldname="Total" | table info Total * | sort - Total | head 5
This should give you a nice table with info (animal name) as first column, Total (total count) and count by host (as separate columns). Just select stacked option in the visualization and you're set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this is relay close to what I need.
To not add Total to every column I removed it, so it looks like this:
* | chart count over info by host | addtotals fieldname="Total" | table info Total * | sort - Total | head 5 | field - Total
But I have a problem with addtotals. It sums up all the fields, that is OK, but if the field name is a number, It add the number of the field name to the Total. For me that seems to be a bug. Is three a way around it?
This is what I like to get:
info\host palito habo jago Total
-----------------------------------------
cat 2 2 4
dog 1 1 2
82 1 2 3
This is what Splunk gives, look at Total for the 82
info\host palito habo jago Total
-----------------------------------------
cat 2 2 4
dog 1 1 2
82 1 2 85
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try this:
| timechart count by host limit=10
If you are on search page:
1. Goto Visualization and select bar chart
2. Select format button
3. Select stack mode as: Stacked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This does not help.
It only shows hits over time for each host. I am not interested in time.
I need to see number of each type of animals (info) and each column should show stacked hosts.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
