How can I add extra labels to columns in charts?

dhruv101 · ‎06-28-2018

Hi,

I create a chart using the following query which basically combines three fields and plots their count on a chart.
When I hover the mouse on any column I can see the phase name and count(as expected).

 index=“app_event” 
 | eval myFan=mvrange(0,3)
 | mvexpand myFan
 | eval time=case(myFan=0,$$payload.beginVal$$, myFan=1,$$payload.endVal$$, myFan=2,$$payload.anotherVal$$)
 | eval phase=case(myFan=0,"Start", myFan=1,"End", myFan=2,"Other")
 | eval Time= strftime (time, “%F %T.%9Q”)
 | chart count by Time phase

I now want to add an extra label($$payload.eventID$$) to every column such that when I hover over a column I am also able to see this label. How do I do this?

(PS I first tried concatenating this label to phase but then the chart starts counting by 'phase+payload.eventID' which I do not want. I want the chart to look the same, just with the new added label to each column.)

Thanks.

felipesewaybric · ‎07-09-2018

I agree with the somesoni answer

somesoni2 · ‎07-03-2018

Just add following to end of your current search

| rename Start as "$$payload.eventID$$:Start" End as "$$payload.eventID$$:End" Other as "$$payload.eventID$$:Other"

vidhyaArumalla · ‎07-09-2018

This above solution helped me to solve a similar problem, Thanks @somesoni2

How can I add extra labels to columns in charts?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...