Given a data set with events that fall into X categories and Y subcategories, can I display a chart that shows a column or portion-of-pie or bar for each combination of X/Y?
Example data set
server=main cat=a sub=1
server=alt cat=b sub=1
server=main cat=c sub=1
server=main cat=a sub=2
server=alt cat=b sub=2
server=main cat=c sub=2
server=main cat=b sub=3
server=alt cat=c sub=3
For the chart of the above data, the chart shows one bar for count of all cat=a/sub=1 events, one shows all cat=b/sub=1 events, etc.
Bonus Vocab Quiz: 1) what are the sections (bars, columns, portions of pie) of a chart to be referred to as in splunkese?
... | eval series=cat."/".sub | chart count by series
I would refer to each section as a "series" or "data series".
If you have repeated "sub" values as in your example, you may want to consider a search like:
... | chart count by cat sub
This will make a table like:
cat 1 2 3
--- - - -
a . . .
b . . .
c . . .
This is useful if you want a stacked column chart to be rendered in the UI, so that you can see each combination as well as the total for each category.
... | eval series=cat."/".sub | chart count by series
I would refer to each section as a "series" or "data series".