Solved: Re: Can i put 3 or more data fields on the x-axis ...

HattrickNZ · ‎03-02-2015

I am trying to recreate the below graph from excel...it is created using pivot in excel and i use the option select data-> switch row/column to get it to look like this.

my data looks something like this:

Start Time  NE Name FN  SN  BP  Reliability Occupation Rate of TC Resource(%) (%)
25/02/2015 0:00 NE1 FN=1     SN=1    BP=Front   Reliable    NIL
25/02/2015 0:00 NE2 FN=1     SN=3    BP=Front   Reliable    0
25/02/2015 0:00 NE1 FN=2     SN=3    BP=Front   Reliable    7
25/02/2015 0:00 NE3 FN=3     SN=15   BP=Front   Reliable    2
25/02/2015 0:00 NE3 FN=2     SN=3    BP=Front   Reliable    8
25/02/2015 0:00 NE4 FN=1     SN=1    BP=Front   Reliable    11
25/02/2015 0:00 NE4 FN=1     SN=3    BP=Front   Reliable    1
25/02/2015 0:00 NE4 FN=0     SN=1    BP=Front   Reliable    10
25/02/2015 0:00 NE4 FN=1     SN=0    BP=Front   Reliable    9
25/02/2015 0:00 NE4 FN=1     SN=2    BP=Front   Reliable    10
25/02/2015 0:00 NE4 FN=0     SN=2    BP=Front   Reliable    8
25/02/2015 0:00 NE4 FN=0     SN=0    BP=Front   Reliable    10
.
.
.

I am close with this search, as it puts the userLabel on the x-axis but the FN and SN are put on the legend with the counter. How do i get the FN and SN on the x-axis?

index=core host="snzclakl598" elementType="MGW"  measInfoId=100665835  userLabel=NE1 | stats  max(c100991388) by userLabel, FN, SN

I have explored using the xyseries command here but no joy.

EDIT1

in relation to somesoni2 answer, that more gives a chart like below which is slightly different. I would like to have more control of the fields on the xaxis as in my original Q.

somesoni2 · ‎03-02-2015

Try something like this

 index=core host="snzclakl598" elementType="MGW" measInfoId=100665835 userLabel=NE1 | stats max(c100991388) as max by userLabel, FN, SN  | eval userLabel="UserLable=".userLabel."   FN=".FN."   SN=".SN | table userLabel, max

View solution in original post

somesoni2 · ‎03-02-2015

Try something like this

 index=core host="snzclakl598" elementType="MGW" measInfoId=100665835 userLabel=NE1 | stats max(c100991388) as max by userLabel, FN, SN  | eval userLabel="UserLable=".userLabel."   FN=".FN."   SN=".SN | table userLabel, max

HattrickNZ · ‎03-02-2015

tks very much that is very close see my edit1 above. can you explain a bit more about the part eval userLabel="UserLable=".userLabel." FN=".FN." SN=".SN how do I remove the "UserLable=".userLabel." part with out breaking this.

mzorzi · ‎02-26-2016

Nice one, I simpler application of this answer:

index=_internal source=*splunkd.log earliest=-2d | eval bytes=length(_raw) |  eval WTime=strftime(_time,"%W") | eval userLabel=WTime |  eval dateday=date_mday."_".date_month."_".date_year | stats max(bytes) as max by userLabel, dateday  | eval userLabel="WeekYear=".userLabel  | table userLabel, max

Alternatively you can also show the day and week together:

index=_internal source=*splunkd.log earliest=-2mon | eval bytes=length(_raw) |  eval WTime=strftime(_time,"%W") | eval userLabel=WTime |  eval dateday=date_mday."_".date_month."_".date_year | stats max(bytes) as max by userLabel, dateday  | eval userLabel="WeekYear=".userLabel."   DateDay=".dateday  | table userLabel, max

HattrickNZ · ‎03-02-2015

answering my own question here eval userLabel="FN=".FN." SN=".SN

ppablo · ‎03-04-2015

Hi @HattrickNZ

Just to follow up, did @somesoni2's answer with your eval edit solve your question? If so, don't forget to accept his answer and upvote it 🙂

Patrick

HattrickNZ · ‎03-05-2015

@Patrick the answer was very close but I am still looking for a closer answer see EDIT1, but if this is the best that can be done I I will accept accordinly.

Can i put 3 or more data fields on the x-axis in Splunk 6.1 and recreate a graph from excel?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases