I'm working with a CSV file from salesforce. I'd like to build out a bar graph that reflects the 50 largest accounts by Amount. I'd like to then take that information and have Splunk filter it by my various forecasting categories. The field name is Forecast Category
and the possible values are Upside
, Closed
, Commit
, Most Likely
. I would like the initial bar graph to indicate by color, which Accounts fall under which category. Is this possible? Where should i take my search from here:
sourcetype=___________ "Account Owner"="______________" "Fiscal Period"="Q2-2016" | stats sum(Amount) by "Account Name" | sort sum(Amount) | rename sum(Amount) as AllAccounts | tail 50
sourcetype=___________ "Account Owner"="______________" "Fiscal Period"="Q2-2016"
| chart sum(Amount) by "Account Name" "Forecast Category"
| addtotals
| sort 50 -Total
| fields - Total
The problem with your original search is that once you have summarized the data by Account Name, the Forecast Category is no longer available to you. This search summarizes by both fields, then computes a total across all categories - and uses that total to select the top 50 accounts. Once the accounts have been selected, you need to remove the Total field so that it doesn't skew the chart.
Now the bar graph will be colorized by category.