Hi all,
I have a timechart that gets created based on the value for a particular threshold
sourcetype="syslog" | timechart count by threshold
Threshold values are 0 through 100 (they can be any value).
They fall in three buckets for the purposes of my report -> 0, <=30 or over 30.
Is there a way to create a stacked bar chart/ bar chart / piechart which will display
i) Chart with values where Threshold = 0
ii) Chart with values where Threshold <= 30
iii) Chart with values where Threshold > 30
This, I suppose can be accomplished by either manipulating the chart (on the Splunk UI during the generation of a report0 - OR - define these "buckets" in a variation on the Splunk query that I wrote.
It is just meant to be a breakdown of sorts
Any help is appreciated
The rangemap command can break this down very neatly, at least if you're dealing with integers.
sourcetype="syslog" | rangemap field=threshold zero=0-0 zero_to_thirty=1-30 higher_than_thirty=31-100 | timechart count by range
Eval is a really deep search command though and it can do this very easily with its case statement.
sourcetype="syslog" | eval range=case(threshold==0, "zero", threshold<=30, "less than thirty", threshold>30, "more than thirty") | timechart count by range