effectiment your command works right but the problem with you is that the c values of the field "status" that you use inside al are certainly not good values because generally the "status" field takes the following values:
200 201; 204; 303; 304; 400; 401; 404; 500
Continued; failure ; skipped success ......
see my example to better understand:
sourcetype=* | chart count(eval(status=200)) AS info, count(eval(status="400")) AS error, count(eval(status="500")) AS warn by sourcetype
see picture below
or if you want youn can use case function like this :
sourcetype=*|eval des=case(status>=200 AND status<300,"infos",status>=300 AND status<400,"infos2",status>=400 AND status<500,"infos4",status>=500,"infos4") | chart count(status) by des, sourcetype
see this link: http://answers.splunk.com/answers/152683/is-it-possible-to-show-values-in-the-column-bar-chart.html#...
to see values in the column/bar chart.
The best way is to reduce the data set first and then enumerate by the data points involved.
In this scenario, we assume that all of your sourcetypes understand the meta field status. The following is best to reduce the data set:
* (status="error" OR status="info" OR status="warning")
The second step is to count the desired meta field and then align by the result and the associate data point. In other words:
| chart count(status) by source status
That produces a table like this:
The end result is the ability to use that data in a column (or bar) chart as follows:
Makes sense?
