Dashboards & Visualizations

How do I make a different bar chart for each day in a given timerange ?

sandeepmakkena
Contributor

mysearch

| eval Status=if(like(_raw, "%POSTING:SUCCEEDED%"), "2.Successful transactions" , "1.Rejected Transactions") 
| timechart count by Status span=1hr | timewrap 1day

I am trying to compare today's total successful transactions and rejected transactions with past 2days, past3days...past7days. I am trying to use the above query, but it is getting me a separate bar graph from successful and rejected( I want them to be stacked) Please help me achieve this.
Thank you.,

0 Karma

Vijeta
Influencer

You can change the format to stack mode from Visualization format.

0 Karma

sandeepmakkena
Contributor

I tried that it didnot work. It is giving me a big bar graph will all days selected with different colors.

0 Karma

Vijeta
Influencer

You need to combine last 2 days as one , you can do that by renaming and eval. Also since you are comparing current date with last 2 days
|rename "2.Successful transactions_1day_before" as Last_Success_1, rename "1.Rejected Transactions_1day_before" as Last_Rejected_1, "2.Successful transactions_2day_before" as Last_Success_2, rename "1.Rejected Ttransactions_2day_before" as Last_Rejected_2
|eval Last_Success=Last_Success_1 + Last_Success_2
|eval Last_Rejected= Last_Rejected_1 + Last_Rejected_2
| fields _time Last_Success Last_Rejected 2.Successful transactions_latest_day "1.Rejected Transactions_latest_day"

0 Karma

sandeepmakkena
Contributor

Thanks for the info, but let’s say if I want to compare last 7days should I keep on renaming all the days If so I think there should be a better way. Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...