Splunk Search

Creating a Stacked Graph (Area but coloured like bar)

AccentureQBETA
Path Finder

I have the following search:

index="cms_test_1" [|inputlookup Stacked_Worse12.csv | rename FullURL as cs_uri | fields + cs_uri] sc_status=200 time<19:00:00.000 time>=07:00:00:.000 | fields  cs_uri, date | stats count by date, cs_uri

Which gives me a list of Dates, cs_uri's and their count, I would like to make a stacked graph out of this. So the legend would be the cs_uri's, X-Axis will be Dates, Y-Axis will be Count.

I've tired looking into timechart, I think I can use this, span=d, count(uri), but It does full counts for the day so far..
Example Table (Pivot Table, Excel):

Date cs_uri1 cs_uri2 cs_uri2
11/08/2012 6 3 5
12/08/2012 7 1 4
13/08/2012 4 6 8

But I can't get timechart to work and I can't get a stacked graph looking how I would like.. Using the above data, I expect to see, 3 dates across the bottom, for each date, 3 series (values, stacked, whith different colours) either in bar form or even better as a continues area graph.

The csv inputlookup contains a list of cs_uri's i;m filtering on.

0 Karma
1 Solution

AccentureQBETA
Path Finder

index="cms_test_1" [|inputlookup Stacked_Worse12.csv | rename FullURL as cs_uri | fields + cs_uri] sc_status=200 time<19:00:00.000 time>=07:00:00:.000 | fields date, cs_uri | timechart count(cs_uri) span=d by cs_uri

Works great.

I don't know why I couldn't get it to work before 😄

View solution in original post

0 Karma

AccentureQBETA
Path Finder

index="cms_test_1" [|inputlookup Stacked_Worse12.csv | rename FullURL as cs_uri | fields + cs_uri] sc_status=200 time<19:00:00.000 time>=07:00:00:.000 | fields date, cs_uri | timechart count(cs_uri) span=d by cs_uri

Works great.

I don't know why I couldn't get it to work before 😄

0 Karma

Ayn
Legend

What's not working with timechart count by uri and choosing stacked mode in your chart?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...