How to sorted stacked bar chart ?

hjwang · ‎06-09-2011

dear all

i wanna show ratio in bar chart by special field, for example
i use

my search | stats count by DEST_IP | sort - count | head 10

but i want to show country count in each DEST_IP stats, then i use

my search | chart count over DEST_IP by SRC_IP_countryname

but this will list all DEST_IP with different country count, and can not be sorted by each DEST_IP total count, is there anyway to do this? thanks in advance.

hjwang · ‎06-10-2011

for example:

if i directly use stats count by DEST_IP | sort - count | head 10, it will be as follows

1.1.1.1 ||||||||||||||||||||

2.2.2.2 ||||||||||||||||||

3.3.3.3 ||||||||||||

4.4.4.4 |||||||||

now, if i use char count over DEST_IP by SRC_IP_countryname, it will be as follows

2.2.2.2 ||||####@@@@^^^^^

1.1.1.1 @@@^^^^^||||||||########

3.3.3.3 |||$$$%%%&&

4.4.4.4 !!!$$$@

here different symbols means different country and its length indicates its ratio in total count
but now it can not be sorted by total count as case 1. how can i do that? thanks

Ant1D · ‎06-09-2011

Hi,

You can do a search where you count by more than one field. So for example you could do a search like:

my search | stats count by DEST_IP SRC_IP_countryname | fields DEST_IP SRC_IP_countryname count | sort - count

Alternatively, you might want to join two fields together like shown in this example:
`my search | eval twofields=DEST_IP."-".SRC_IP_countryname | stats count by twofields | sort - count

Ant1D · ‎06-09-2011

sounds like you want to do the following search:
my search | chart sum(SRC_IP_country) by DEST_IP

hjwang · ‎06-09-2011

not that, clearly to say, i hope sort by total count of DEST_IP firstly, then chart it into stacked bar chart where each bar stand for one DEST_IP, and in each bar it can be seen different SRC_IP_country count

How to sorted stacked bar chart ?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!