Frequency distribution with timechart

asarolkar · ‎12-05-2012

Hi all,

I have a timechart that gets created based on the value for a particular threshold

sourcetype="syslog" | timechart count by threshold

Threshold values are 0 through 100 (they can be any value).

They fall in three buckets for the purposes of my report -> 0, <=30 or over 30.

Is there a way to create a stacked bar chart/ bar chart / piechart which will display

i) Chart with values where Threshold = 0

ii) Chart with values where Threshold <= 30

iii) Chart with values where Threshold > 30

This, I suppose can be accomplished by either manipulating the chart (on the Splunk UI during the generation of a report0 - OR - define these "buckets" in a variation on the Splunk query that I wrote.

It is just meant to be a breakdown of sorts

Any help is appreciated

sideview · ‎12-05-2012

The rangemap command can break this down very neatly, at least if you're dealing with integers.

sourcetype="syslog" | rangemap field=threshold zero=0-0 zero_to_thirty=1-30 higher_than_thirty=31-100 | timechart count by range

Eval is a really deep search command though and it can do this very easily with its case statement.

sourcetype="syslog" | eval range=case(threshold==0, "zero", threshold<=30, "less than thirty", threshold>30, "more than thirty") | timechart count by range

Frequency distribution with timechart

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...