Solved: How do you chart two unrelated numbers?

tmaurst · ‎02-12-2019

I am completely stumped as to how to chart two numbers.

I have two counts from two searches. I simply want to chart them side by side.

sourcetype=mySource AND first string I'm looking for | stats count as firstCount | appendcols [search sourcetype=mySource AND second string I'm looking for | stats count as secondCount] | chart <how to chart firstCount and secondCount on bar graph?>

The counts are fine and are returning the expected values. I just can't figure out how to chart them together. For instance, if I have the numbers 5 and 10, how can those show up on a simple numbered x-axis together in bar graph form?

Thanks

richgalloway · ‎02-12-2019

You don't need two searches. Put both conditions into the base search then use an eval to create a field that distinguishes each. Use that field in the chart command to show the counts. Depending on your data, there may be other ways to do the eval (a unique field in each, for instance).

sourcetype=mySource ("first string I'm looking for" OR "second string I'm looking for") 
| eval split=if(match(_raw, ".*first string I'm looking for.*"), "first", "second") | chart count by split

---
If this reply helps you, Karma would be appreciated.

View solution in original post

woodcock · ‎02-12-2019

Like this:

index=YouShouldAlwaysSpecifyAnIndex AND sourcetype=mySource AND ("first string" OR "second string")
| stats count(eval(searchmatch("first string"))) AS firstCount count(eval(searchmatch("seconds string"))) AS secondCount

The rest is a matter of picking the right visualization and configuration options for it.

tmaurst · ‎02-13-2019

Thanks. Why should we always use an index? I'm guessing performance related but can you be more specific as to why?

woodcock · ‎02-13-2019

When you are not referencing an index in your search, you are relying on the Indexes searched by default setting that your admins control so this setting can be changed at any time without notice and varies from role-to-role. This means that your search could behave very differently from user to user at the same time or for the same user across time. This is absurdly risky and negligent on your part.

tmaurst · ‎02-13-2019

Makes sense.

woodcock · ‎02-13-2019

Be sure to spread around the UpVotes to helpful answers and comments and click Accept to close your question.

richgalloway · ‎02-12-2019

You don't need two searches. Put both conditions into the base search then use an eval to create a field that distinguishes each. Use that field in the chart command to show the counts. Depending on your data, there may be other ways to do the eval (a unique field in each, for instance).

sourcetype=mySource ("first string I'm looking for" OR "second string I'm looking for") 
| eval split=if(match(_raw, ".*first string I'm looking for.*"), "first", "second") | chart count by split

---
If this reply helps you, Karma would be appreciated.

tmaurst · ‎02-13-2019

This works, thank you. For a bonus... when one of the counts is 0, it will not have a bar on the graph. Is there a way to force a placement for this, such that the 0 value is conveyed? Otherwise it's not apparent that two values are being compared.

woodcock · ‎02-13-2019

Ask a new question.

How do you chart two unrelated numbers?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor