I have a query like this - which charts the number of grapes and pears in a fruit cart
sourcetype="fruitlog" type="pear" OR type="grape" | eval InStock=10 | chart first(InStock) as InStock,count(eval(type="pear")) AS numPears, count(eval(type="grape")) AS numGrapes
The InStock amount is the total number of fruits that is UNRELATED to the number of Pears and Grapes.
When I put this up on a dashboard, NO bar appears for the InStock Value of 10. I see numPears and I see numGrapes.
Any ideas so as to why this CONSTANT value would not display on a chart ? It might sound stupid to even have it there, but I need for it to show for comparison.
Add this to the end of your search
| transpose | rename "row 1" as count
The trick is to get your data in multiple rows, not across multiple columns.
You can also replace 'chart' with 'stats'
A neater search might be
sourcetype="fruitlog" type="pear" OR type="grape"
| stats count by type
| appendpipe [ head 1 | eval type="InStock" | eval count=10 | fields type count ]
The 1st 2 lines gets the count per type (which will graph as-is)
the last line just spoofs an entry for InStock
Add this to the end of your search
| transpose | rename "row 1" as count
The trick is to get your data in multiple rows, not across multiple columns.
You can also replace 'chart' with 'stats'
A neater search might be
sourcetype="fruitlog" type="pear" OR type="grape"
| stats count by type
| appendpipe [ head 1 | eval type="InStock" | eval count=10 | fields type count ]
The 1st 2 lines gets the count per type (which will graph as-is)
the last line just spoofs an entry for InStock
yeah - i don't have your data, but this seems to be similar to what you're using :
index=_internal | eval instock=10 | stats first(instock) as instock count(eval(group=="pipeline")) as pipe count(eval(group=="queue")) as queue | transpose | rename "row 1"
as count`
or
index=_internal group="pipeline" OR group="queue" | stats count by group | appendpipe [ head 1 | eval group="InStock" | eval count=10 | fields group count ]
sourcetype="fruitlog" type="pear" OR type="grape" | eval InStock=10 | chart first(InStock) as InStock,count(eval(type="pear")) AS numPears, count(eval(type="grape")) AS numGrapes | transpose | rename "row 1" as count ???
It's not that it's a constant, it's that your search will generate one row with multiple columns and the first column will be the one used by the bar chart for the Y-axis label. Try removing the first part of your chart
command and you'll see that numPears
will disappear from the bar chart and instead be used as a label.
So, how would you recommend I frame my search.
A timechart is not desired here but just a chart.