Hi.
I have a very simple log this time where I find two boolean vars A and B which values can be 'FAIL' and 'PASS'.
I'd like to create a stacked column chart where I'll have a different column for each timestamp. In every column, I'll have 4 different colours like this:
Don't panic, I attached a picture of what I'd need to get 😉
I hope I made myself clear and any help will be absolutely valuable and welcome, thanks in advance!!!
The promised picture:
Best regards,
David Eladio García Ontañón.-
This should do it
your base search | table _time A B | eval BothPass=if(A="PASS" AND B="PASS",1,0) | eval APass=if(A="PASS" AND B="FAIL",1,0) | eval BPass=if(A="FAIL" AND B="PASS",1,0) | eval BothFail=if(A="FAIL" AND B="FAIL",1,0) | table _time BothPass APass BPass BothFail | timechart span=yourChosenSpan sum(*) as *
During visualization, choose the stacked option in the column chart. For specific colors, you'd need to add the fieldColor option in the chart visualization.
<chart>
<search..... </search>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.fieldColors">{"BothFail":0xFF0000,"BPass":"0xFFA500","APass":0xFFFF00, "BothPass":0x73A550}</option>
.....remaining option....
</chart>
Thanks! i followed the two answers to learn myself and finally managed to get the chart i needed. Thanks!
Glad you found the guidance you needed from @somesoni2 and @sundareshr 🙂 I know it's tough, but could you resolve the post by clicking "Accept" below the answer you used the most to get your final result? Also, it would be great if you could share that final solution here for others to learn and see how you produced your desired chart. Don't forget to upvote both answers for helping you out!
Patrick
Without data sample, give this a shot
base search here | eventstats count as total | eval state=case(A="Pass" AND B="Pass", "ABPass", A="Pass" AND B="Fail", "APassBFail", A="Fail" AND B="Pass", "AFailBPass", A="Fail" AND B="Fail", "ABFail", 1=1, "UNK") | bin span=1h | eventstats countevat as statecount by _time state | eval time=_time."#".total | chart max(statecount) over time by state | rex field=time "(?<Time>[^#]+)#(?<total>.*)" | fields - time | eval ABPassPerc=ABPass/total*100 ..... you get the idea.
Format you chart as a stacked chart. And you should get the desired outcome.
Wow! Thank you two!!! i'll make my best to test this asap today and of course i'll let you know the result!
Thanks!