Dashboards & Visualizations

Multi-variable Bar Graph

JoshuaJohn
Contributor

Hi I am trying to make a multi-variable bar graph (Similar to the image below)
alt text

The first bar would be a static number: 22500

The second bar would be this search:
| inputlookup Report.csv | search u_last_policyrequest_time=*| fields u_last_policyrequest_time| eval Last_Policy_Request = strptime(u_last_policyrequest_time, "%m/%d/%Y %H:%M") | where Last_Policy_Request > relative_time(now(),"-48h")

The third bar would be this search: |inputlookup Report.csv|rename u_wifi_mac_address as Mac_Address | stats count as ActiveDevices by Mac_Address|stats sum(ActiveDevices) as SNTotal_Asset_Records|table SNTotal_Asset_Records

The fourth bar would be this search: |inputlookup Report.csv|rename u_wifi_mac_address as Mac_Address | stats count as ActiveDevices by Mac_Address|stats sum(ActiveDevices) as ActiveDevices | eval No_Record = 22500-ActiveDevices |table No_Record

I am not sure if it is possible to combine them like this. All of these results come from the same place.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Another version

| inputlookup Report.csv
| stats count(eval(strptime(u_last_policyrequest_time,"%m/%d/%Y %H:%M")>relative_time(now(),"-48h")))) as Policy_Request_last2days
count(Mac_Address) as SNTotal_Asset_Records
| eval No_Record=22500-SNTotal_Asset_Records
| eval BaseBar=22500
| table BaseBar Policy_Request_last2days SNTotal_Asset_Records No_Record

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Another version

| inputlookup Report.csv
| stats count(eval(strptime(u_last_policyrequest_time,"%m/%d/%Y %H:%M")>relative_time(now(),"-48h")))) as Policy_Request_last2days
count(Mac_Address) as SNTotal_Asset_Records
| eval No_Record=22500-SNTotal_Asset_Records
| eval BaseBar=22500
| table BaseBar Policy_Request_last2days SNTotal_Asset_Records No_Record

DalJeanis
SplunkTrust
SplunkTrust

Heh. I need to practice typing | stats count(eval(blahblahblah)) until I have convinced myself that the code will actually run...

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Lots of ways to do this, here's one...

| inputlookup Report.csv 
| search u_last_policyrequest_time=*  OR isnotnull(u_wifi_mac_address)
| eval Last_Policy_Request = strptime(u_last_policyrequest_time, "%m/%d/%Y %H:%M") 
| eval policyCount=if(Last_Policy_Request > relative_time(now(),"-48h"),1,0)
| eval macCount=if(isnotnull(u_wifi_mac_address),1,0)
| stats sum(policyCount) as bar2, sum(macCount) as bar3
| eval bar1=22500
| eval bar4=bar1-bar3
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...