Splunk Search

i have a results which has order status across many system. i want to group by order status with system in bar graph

DataOrg
Builder

status1 status2 status3 status4 status5
complete failed complete complete failed
cancelled inprogress failed success null
Null delivery in progress failed complete

0 Karma
1 Solution

niketn
Legend

@premranjithj, following is the run anywhere search based on your data. If it is coming from CSV in exact same format that you have provided, this should be one of the ways to plot your result. If your raw events are in different format than provided(like individual events with timestamp and field names/possible extraction for both System and Status, there might actually be better way to write this query)

| makeresults
| eval System1="complete"
| eval System2="failed"
| eval System3="complete"
| eval System4="complete"
| eval System5="failed"
| append [| makeresults
          | eval System1="cancelled"
          | eval System2="inprogress"
          | eval System3="failed"
          | eval System4="success"
          | eval System5="null"]
| append [| makeresults
          | eval System1="null"
          | eval System2="delivery"
          | eval System3="inprogress"
          | eval System4="failed"
          | eval System5="complete"]
| fields - _time
| stats list(System*) as System*
| transpose header_field="column" column_name="System"
| rename "row 1" as "Status"
| mvexpand Status
| chart count over System by Status

Query till | fields - _time is used to mock the data in the question. Remaining query is your answer.
Additionally, you will need bar chart options as per my previous comment:

 <option name="charting.chart">bar</option>
 <option name="charting.chart.stackMode">stacked</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@premranjithj, following is the run anywhere search based on your data. If it is coming from CSV in exact same format that you have provided, this should be one of the ways to plot your result. If your raw events are in different format than provided(like individual events with timestamp and field names/possible extraction for both System and Status, there might actually be better way to write this query)

| makeresults
| eval System1="complete"
| eval System2="failed"
| eval System3="complete"
| eval System4="complete"
| eval System5="failed"
| append [| makeresults
          | eval System1="cancelled"
          | eval System2="inprogress"
          | eval System3="failed"
          | eval System4="success"
          | eval System5="null"]
| append [| makeresults
          | eval System1="null"
          | eval System2="delivery"
          | eval System3="inprogress"
          | eval System4="failed"
          | eval System5="complete"]
| fields - _time
| stats list(System*) as System*
| transpose header_field="column" column_name="System"
| rename "row 1" as "Status"
| mvexpand Status
| chart count over System by Status

Query till | fields - _time is used to mock the data in the question. Remaining query is your answer.
Additionally, you will need bar chart options as per my previous comment:

 <option name="charting.chart">bar</option>
 <option name="charting.chart.stackMode">stacked</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DataOrg
Builder

@niketnilay but it takes only 100 results. i have 200 value but it take only 100 results

0 Karma

niketn
Legend

Are you monitoring 200 systems? Try changing mvexpand limit to 200 in your case.

| mvexpand Status limit=200

Let me know if it does not work.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@premranjithj, You will have to provide more details of your data and fields. Since your intention is to have various Order Status groups by system, I will assume field names status and system.

<YourBaseSearchIndexAndSourcetype> status=* system=*
| chart count over system by status

You would need to turn on Stack mode for bar chart.

    <option name="charting.chart">bar</option>
    <option name="charting.chart.stackMode">stacked</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DataOrg
Builder

System1 SYSTem2 system3 system4 system5
complete faile complete complete failed
cancelled inprogress failed success null
Null delivery in progress failed complete

all the system are with different name. i want to group each system with status.
ex: system 1 with status in a group by barchart

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...