I have a search that makes a stacked bar chart:
tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | chart count by user, myVar
This search plots number of authentications per user, with each authentication attempt being split between success and failure as the colors in the stacked bar chart.
However, I have a lot of users. I want to limit the number of users this bar chart displays to some number of more active users and lump the rest in other, but documentation I've read on the matter doesn't seem to work when applied. The bins
command fails outright, the limit
command applies to myVar instead of user no matter where I put it, and the top
command overwrites my chart
command.
I also tried using a pivot, but it seems I can't compare two tags against each other without getting other tags involved.
I've also tried using a where clause, but that too is applied to myVar. I think this simply isn't possible.
I want the graph pictures below, but with only the bars with the highest count displayed.
Does anyone know how I could do what I want?
This search does the thing that I want. Just change 10 to however many bars you want.
tag=authentication user!=NULL AND (tag=success OR tag=failure) | eval myVar=if(tag=="success","success","failure") | chart count as Count by user, myVar | addtotals fieldname=total | sort -total | fields user failure success | head 10
It looks like the "fields" in my chart become user, success, failure, and a few others instead of the fields in my search. This was what caused me problems.
If anyone knows how to get an "other" bar involved in all of this that'd be swell, but this is good enough.
This search does the thing that I want. Just change 10 to however many bars you want.
tag=authentication user!=NULL AND (tag=success OR tag=failure) | eval myVar=if(tag=="success","success","failure") | chart count as Count by user, myVar | addtotals fieldname=total | sort -total | fields user failure success | head 10
It looks like the "fields" in my chart become user, success, failure, and a few others instead of the fields in my search. This was what caused me problems.
If anyone knows how to get an "other" bar involved in all of this that'd be swell, but this is good enough.
try like :
tag=authentication user!=NULL | chart count(eval(tag="success")) as "count tag succes", count(eval(tag!="success")) as "count tag faillures" by user limit=8 useother="f" usenull="f"
The limit is still not being applied to users. This search produces the same graph as in the image with the names of the colors changed.
Hi ksextonmacb
Try this search code
tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | chart count by myVar , user limit=8 useother="f" usenull="f"
This gets me two bars, one for success and one for failure, with the color of each stacked bar corresponding to user. I'm after a bar for each desired user, with the color of each stacked bar corresponding to the value of myVar.
I do think this answer is as close as I'm going to get to what I want, though.
the following link will be help
http://answers.splunk.com/answers/73745/max-data-points-that-charts-can-handle.html
1) To get the tag count per user
tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | stats dc(myVar) as tagCount by user
2) To display in sort order (descending) by tagCount
tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | stats dc(myVar) as tagCount by user | sort -eventCount
3) To display top 10 users (From above search)
tag=authentication user!=NULL | eval myVar=if(tag=="success","success","failure") | stats dc(myVar) as tagCount by user | sort -eventCount | head 10
This just gives me a chart telling me if a user has ever succeeded or failed VS succeeded and failed; the values are all either one or two. It doesn't split results over success and failure, and it doesn't give out the number of successes and failures.