Dashboards & Visualizations

How to Combine two bar chart into into one bar chart?

udaypulipaka
Observer

Hi,

I have two bar charts namely resolved and escalated bar charts .Based on component we created this two charts.Now i want to combine two charts into one chart and place side by side based on component.For example "Data is Not getting" component,Then it should display side by side in chart for resolved and escalated.

Tags (1)
0 Karma
1 Solution

DMohn
Motivator

Not knowing your search which leads to the shown charts it's a bit hard to come up with the correct search, but you could go like this:

<your base search> | stats count(resolved) as num_resolved count(escalated) as num_escalated by component

and display the results as a bar chart. this should render the results you need.

View solution in original post

0 Karma

DMohn
Motivator

Not knowing your search which leads to the shown charts it's a bit hard to come up with the correct search, but you could go like this:

<your base search> | stats count(resolved) as num_resolved count(escalated) as num_escalated by component

and display the results as a bar chart. this should render the results you need.

0 Karma

udaypulipaka
Observer

This is my query:

Escalated Case:

index="os" sourcetype="Service" CaseNumber=* status=* assignment_group=* |dedup _time,CaseNumber,assignment_group| streamstats current=f last(assignment_group) as lg by CaseNumber|where assignment_group!=lg AND assignment_group="Sustaining L1"|chart count as "Escalated Cases" by Component

Resolved Case:

index="os" sourcetype="Service" CaseNumber=* status=* assignment_group=* |dedup _time,CaseNumber,assignment_group| streamstats current=f last(assignment_group) as lg, last(active) as Active by CaseNumber|where assignment_group="Sustaining L1" AND status="Complete" AND (isnull(Active) OR Active="true")|chart count as "Resolved Cases" by Component

Please give me final Query

0 Karma

udaypulipaka
Observer

Thank u so much for your help.It is working fine.

0 Karma

DMohn
Motivator

Try this:

 index="os" sourcetype="Service" CaseNumber= status= assignment_group=* 
 | dedup _time,CaseNumber,assignment_group 
 | streamstats current=f last(assignment_group) as lg, last(active) as Active by CaseNumber 
 | eval is_escalated = if(assignment_group!=lg AND assignment_group=="Sustaining L1",1,NULL) 
 | eval is_resolved = if(assignment_group=="Sustaining L1" AND status=="Complete" AND (isnull(Active) OR Active="true"),1,NULL) 
 | chart count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" by Component
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...