Splunk Search

How to make a bar chart from stats and divide it according to a field?

chitreshakumar
Communicator

I have counts of aging tickets which we have divided into different ranges .But I want to show it as chart which will be divided into ticket types.


 eval age=(now() - strptime(time_submitted,"%d/%m/%y %H:%M:%S"))/86400, total_age=round(age,0)| table total_age|rangemap field=total_age 0-7=0-7 8-15=8-15 16-30=16-30 | stats count by range| sort by range|

I want to add chart over range by ticket_type after this

0 Karma
1 Solution

niketn
Legend

@chitreshakumar, if your intent is to get daily count on tickets submitted and then put them in weekly ranges, you can try out the following:

<YourBaseSearch>
| eval time_submitted=strptime(time_submitted,"%d/%m/%y %H:%M:%S")
| bin time_submitted span=1d
| stats count by time_submitted
| eval ageInDays=floor((now()-time_submitted)/86400)
| eval ageInDays=case(ageInDays>=0 AND ageInDays<=7,"00-07",ageInDays>=8 AND ageInDays<=15,"08-15",ageInDays>=16 AND ageInDays<=30,"16-30")
| stats sum(count) as Total by ageInDays

If you want to show week over week stats on a timechart, you can also consider the timewrap command.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketn
Legend

@chitreshakumar, if your intent is to get daily count on tickets submitted and then put them in weekly ranges, you can try out the following:

<YourBaseSearch>
| eval time_submitted=strptime(time_submitted,"%d/%m/%y %H:%M:%S")
| bin time_submitted span=1d
| stats count by time_submitted
| eval ageInDays=floor((now()-time_submitted)/86400)
| eval ageInDays=case(ageInDays>=0 AND ageInDays<=7,"00-07",ageInDays>=8 AND ageInDays<=15,"08-15",ageInDays>=16 AND ageInDays<=30,"16-30")
| stats sum(count) as Total by ageInDays

If you want to show week over week stats on a timechart, you can also consider the timewrap command.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

chitreshakumar
Communicator

I want a chart where Y axis will have age in days and X count of the aging tickets.Then I want to divide it into SR,IN

0 Karma

niketn
Legend

@chitreshakumar, I am not sure if that is possible with column or bar chart. Can you draw out what you need?

If you want to display more than two stats in the same chart you can try out Punchcard Custom Visualization which can display one stats as Size of punches and another stats with Color range.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

chitreshakumar
Communicator

@niketnilay Thanks for your response . If bar chart starts on Y axis instead of X ,are there any ways to make it stacked bar chart according to field value?

0 Karma

niketn
Legend

Similar to Column Chart even Bar chart has Stacking option and also Overlay field. However, I am not sure how any of that will help you with what you are asking.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

chitreshakumar
Communicator

@niketnilay I found out the way to work it out .Thanks anyway

0 Karma

493669
Super Champion

Hi @,
try this:

<base search returning ticket_type field> 
 | stats count as Count by ticket_type
 | rangemap field=Count "0-7"=0-7 "8-15"=8-15 "16-30"=16-30 default=">30" 
 | table ticket_type, Count, range
0 Karma

chitreshakumar
Communicator

Its not working

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...