Hello,
I have a question about a timechart creation. I want to create a columns chart. My search is :
tag::source="TokenizerWatchdogSplunk"| Service_Type="*" | eval series=case(Service_Type="T2D", "detok", Service_Type="D2T", "tok") |chart count(Service_Type) by series, _time, Requester
series and Requester are two fields that I created. I want to have time and requester in abscissa and the number of Service_type by series in ordinate. I want to have the number of detok and tok by requester. A requester is a column and this on basis on the time. But I don't able to have a chart of this type. How can I resolve this?
Thanks in advance.
Is this close to what you are looking for?
chart count(Service_Type) by series over Requester
Is this close to what you are looking for?
chart count(Service_Type) by series over Requester
This will only show values that have counts. Using the fields command we can show the count of other series that may have existed, but how do we fill those null values with 0 if they have no events? The fillnull command does not seem to work in that case.
hi,
can we create a chart on difference of two coulmn.And on right it should show the two column values too is it possible.