Splunk Search

How do I create a stacked bar chart with my data set?

dantu
Explorer

Hi Guys,

I have the following data set that i retrieve using a search :

host           calltype       count

pc4bwsoap03 odata/v2       4931
pc4bwsoap03 sfapi/v1       134
pc4bwsoap03 api/oauth     13
pc4bwsoap03 xi/ajax     9
pc4bwsoap03 api/cdp     9
pc4bwsoap04 sfapi/v1    642
pc4bwsoap04 odata/v2      449
pc4bwsoap04 api/oauth     28
pc4bwsoap04 xi/ajax     24
pc4bwsoap04 api/cdp     23

Now in this you see the reappearance across multiple hosts of something like odata/v2 , sfapi/v1

Now how do I generate a stacked graph for this so that one of the axis is the host and it has one bar which represents the 2nd column instead of multiple bars?

Thank you
Dan

0 Karma

woodcock
Esteemed Legend

What is your search to generate this data?

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Not sure of you main search, but this might help you:

 <your_search>  | contingency host calltype useother=f

This will provide a table of the counts by host and calltype. You can then use a Stacked bar chart to visualize the data.

There is an alternative to contingency in case you need to do a more advanced calculation.

<your_search> | chart sum(counts) by host over calltype 

This should return the same table, to use in the graph.

0 Karma

dantu
Explorer

Thanks for that.

the search that i am doing is a simple one. I have created a field extraction to extract the 2nd column of that table.

So when you actually do a top limit=5 it shows that there are two types for it .

Would it work then?

Thank you
Dan

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Ah ok, so I think you are pulling that table as a single event. In that case:

<your_search_to_find_the_event> | rex field=_raw "(?<host>[^\s]+)\s+(?<calltype>[^\s]+)\s+(?<count>\d+)(?:[\r\n]+)?" max_match=0 | <contingency_or_chart_as above>
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...