Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Including event count in legend of timechart

splunk_svc
Path Finder
‎10-16-2016 05:57 PM

Hi Splunkers.
I'm trying to get event counts for timechart values displayed in the legend.
i.e. In the legend I want to display the event count, in addition to each value.

I am trying to include the count due to a couple of values on the timechart hiding others, having a much higher record count in comparison the the rest.

I am already doing something similar for a pie chart:

[query] | stats count by my_fieldname | eval my_fieldname=my_fieldname.", ".count

(...with the eval command appending the count to the value displayed in the legend)

I don't seem to be able to get this working for a timechart. If I do the following, I end up with only one value appearing in the legend as "NULL"

[query]  |  eval my_fieldname=my_fieldname.", ".count | timechart count by responsestatus

I'm pretty sure this has to be manipulated before the timechart as there don't seem to be any timechart options to include the record count.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alemarzu
Motivator
‎10-16-2016 06:48 PM

Hi @splunk_svc

Is it this what you are looking for ? This is a working example.

index=_internal | eventstats count by sourcetype | eval my_fieldname=sourcetype.", ".count | timechart count by my_fieldname

Hope it helps.

Edit: query outcome
alt text

View solution in original post

Reply
Solved! Jump to solution
Solution

alemarzu
Motivator
‎10-16-2016 06:48 PM

Hi @splunk_svc

Is it this what you are looking for ? This is a working example.

index=_internal | eventstats count by sourcetype | eval my_fieldname=sourcetype.", ".count | timechart count by my_fieldname

Hope it helps.

Edit: query outcome
alt text

Reply
Solved! Jump to solution

splunk_svc
Path Finder
‎10-16-2016 10:59 PM

Thanks alemarzu.

I gave that a go.
I get a single entry in the legend of "VALUE_json" with a total of all events found.
(There should be three values in the legend)

I tried it again and replaced "eval my_fieldname=sourcetype" with "eval my_fieldname=my_fieldname".

I now get the three values listed in the legend but beside each is a the same event count. i.e. the total event count across all three values.

0 Karma
Reply
Solved! Jump to solution

alemarzu
Motivator
‎10-17-2016 06:27 AM

Can you show me how did you adapt the query I've posted or some data samples ?

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-17-2016 08:07 AM

are you doing:

index=_internal | eventstats count by my_fieldname| eval my_fieldname=sourcetype.", ".count | timechart count by my_fieldname
0 Karma
Reply
Solved! Jump to solution

splunk_svc
Path Finder
‎10-17-2016 03:49 PM

Got it.
Using "sourcetype" in the query was converting the value label into "_json".

Replacing sourcetype in alemarzu's query above with my_fieldname did the trick.

Thanks folks.

0 Karma
Reply
Solved! Jump to solution

alemarzu
Motivator
‎10-17-2016 05:17 PM

Nice, im glad it helped. Happy splunking!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...