Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a bar chart that shows the count of an event type?

coronelfoca
Explorer
‎01-16-2017 10:36 AM

I'm new to Splunk, trying to understand how these codes work out

Basically i have 2 kinds of events, that comes in txt log files.
type A has "id="39" = 00" and type B has something else other than 00 into this same field..

How can I create a bar chart that shows, day-to-day, how many A's and B's do I have?

I searched a lot of examples and the best I could get was a Type A (badly formed)

 index=demo_bs 
     | bucket _time span=24h 
     | stats sum(eval(if((date_hour>=23) OR (date_hour<11),1,0))) as TimeWindowCount by _time 
     | appendcols 
       [search index=demo_bs "<field id="39" value="00"/>" 
        | stats count as Aprovadas] 
     | eventstats max(Aprovadas) as Aprovadas 
     | rename TimeWindowCount as "Historical Count During Window" 
     | rename Aprovadas as "Aproved Transactions"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-16-2017 11:36 AM

Not sure what the TimeWindowCount field is doing in your query (considering you want to show count of type A and type b only), but I'will keep that field in the result. Try like this (change the field name typeA and typeB per your need, in all places)

index=demo_bs 
| eval typeA=if(searchmatch("<field id="39" value="00"/>"),1,0)
| eval typeB=abs(1-typeA)
| eval TimeWindow=if((date_hour>=23) OR (date_hour<11),1,0)
| timechart span=1d sum(typeA) as "Aproved Transactions" sum(typeB) as "NameOfTypeB Here" sum(TimeWindow) as "Historical Count During Window"

View solution in original post

Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎01-22-2017 05:24 PM

@coronelfoca - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎01-16-2017 11:36 AM

Not sure what the TimeWindowCount field is doing in your query (considering you want to show count of type A and type b only), but I'will keep that field in the result. Try like this (change the field name typeA and typeB per your need, in all places)

index=demo_bs 
| eval typeA=if(searchmatch("<field id="39" value="00"/>"),1,0)
| eval typeB=abs(1-typeA)
| eval TimeWindow=if((date_hour>=23) OR (date_hour<11),1,0)
| timechart span=1d sum(typeA) as "Aproved Transactions" sum(typeB) as "NameOfTypeB Here" sum(TimeWindow) as "Historical Count During Window"
Reply
Solved! Jump to solution

hunters_splunk
Splunk Employee
Splunk Employee
‎01-16-2017 11:31 AM

Hi coronelfoca,

When your log was indexed, the id and value fields should have been extracted. If not, extract these two fields from your events.
Then you can use the eval command to classify event types using id and value as criteria. The following example assumes all your events are either TypeA or TypeB: 

index=demo_bs | timechart span=1d count(eval(id="39" AND value="00")) as TypeA, count as All | eval TypeB = All - TypeA | fields - All

Then, use visualization to view the data in a bar chart.
Hope this helps. Thanks!
Hunter

Reply
Solved! Jump to solution

MuS
Legend
‎01-16-2017 11:22 AM

Hi coronetfoca,

I hope I got your question right, but this should give you a point to start:

| gentimes start=-1 
| eval foo="\"id=\"39\" = 00\", \"id=\"39\" = 01\"", _time=now() 
| rex max_match=0 field=foo "\"id=\"39\"\s=\s(?<myFoo>[^\"]+)\"" 
| mvexpand myFoo 
| eval approved=if(myFoo="00",1,null()), not-approved=if(myFoo>"00",1,null()) 
| chart count(approved) AS approved count(not-approved) AS not-approved by _time

This will give you an example and the important lines are the two last ones, lines 1-4 are only used to produce fake events.

So what happens here:

| gentimes start=-1

will create a dummy event

| eval foo="\"id=\"39\" = 00\", \"id=\"39\" = 01\"", _time=now()

evals foo and _time

| rex max_match=0 field=foo "\"id=\"39\"\s=\s(?<myFoo>[^\"]+)\""

using regex we get the value you need into a field called myFoo 

| mvexpand myFoo

expands the multivalue field into single value field

| eval approved=if(myFoo="00",1,null()), not-approved=if(myFoo>"00",1,null())

checking if the value of myFoo matches an approved or a not-approved

| chart count(approved) AS approved count(not-approved) AS not-approved by _time

charting it by time

Just adapt it to your needs with the historical counts.

Hope this helps ...

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...