Hi Guys,
I have the following data set that i retrieve using a search :
host calltype count
pc4bwsoap03 odata/v2 4931
pc4bwsoap03 sfapi/v1 134
pc4bwsoap03 api/oauth 13
pc4bwsoap03 xi/ajax 9
pc4bwsoap03 api/cdp 9
pc4bwsoap04 sfapi/v1 642
pc4bwsoap04 odata/v2 449
pc4bwsoap04 api/oauth 28
pc4bwsoap04 xi/ajax 24
pc4bwsoap04 api/cdp 23
Now in this you see the reappearance across multiple hosts of something like odata/v2 , sfapi/v1
Now how do I generate a stacked graph for this so that one of the axis is the host and it has one bar which represents the 2nd column instead of multiple bars?
Thank you
Dan
What is your search to generate this data?
Not sure of you main search, but this might help you:
<your_search> | contingency host calltype useother=f
This will provide a table of the counts by host and calltype. You can then use a Stacked bar chart to visualize the data.
There is an alternative to contingency
in case you need to do a more advanced calculation.
<your_search> | chart sum(counts) by host over calltype
This should return the same table, to use in the graph.
Thanks for that.
the search that i am doing is a simple one. I have created a field extraction to extract the 2nd column of that table.
So when you actually do a top limit=5 it shows that there are two types for it .
Would it work then?
Thank you
Dan
Ah ok, so I think you are pulling that table as a single event. In that case:
<your_search_to_find_the_event> | rex field=_raw "(?<host>[^\s]+)\s+(?<calltype>[^\s]+)\s+(?<count>\d+)(?:[\r\n]+)?" max_match=0 | <contingency_or_chart_as above>