How to edit my search to establish protocols for v...

ablumenthal_spl · ‎06-24-2015

I'm working with a CSV file from salesforce. I'd like to build out a bar graph that reflects the 50 largest accounts by Amount. I'd like to then take that information and have Splunk filter it by my various forecasting categories. The field name is Forecast Category and the possible values are Upside, Closed, Commit, Most Likely. I would like the initial bar graph to indicate by color, which Accounts fall under which category. Is this possible? Where should i take my search from here:

sourcetype=___________ "Account Owner"="______________" "Fiscal Period"="Q2-2016" | stats sum(Amount) by "Account Name" | sort sum(Amount) | rename sum(Amount) as AllAccounts | tail 50

lguinn2 · ‎06-24-2015

 sourcetype=___________ "Account Owner"="______________" "Fiscal Period"="Q2-2016" 
| chart sum(Amount) by "Account Name" "Forecast Category"
| addtotals
| sort 50 -Total
| fields - Total

The problem with your original search is that once you have summarized the data by Account Name, the Forecast Category is no longer available to you. This search summarizes by both fields, then computes a total across all categories - and uses that total to select the top 50 accounts. Once the accounts have been selected, you need to remove the Total field so that it doesn't skew the chart.

Now the bar graph will be colorized by category.

How to edit my search to establish protocols for various portions of a graph to reflect different values by color?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...