Solved: Column chart based on field value, without everyth...

jwiley_splunk · ‎03-25-2019

Currently having a hard time figuring out how to create a column chart where the field values show up in the side, so I can color code them in XML.

My query is bringing back the results into a table, which I then pipe into a count command to create this column chart. The chart is exactly the info I want to see, I just can't figure out how to make color code it, since it's all the "count" field in XML.

| Parent search query
| table Name, (other fields)
| stats count by Name

I've looked all over, but just can't figure it out.

renjith_nair · ‎03-25-2019

@jwiley_splunk ,

Try transpose ing it

| Parent search query
| table Name, (other fields)
| stats count by Name
| transpose 0 header_field=Name

Happy Splunking!

View solution in original post

renjith_nair · ‎03-25-2019

@jwiley_splunk ,

Try transpose ing it

| Parent search query
| table Name, (other fields)
| stats count by Name
| transpose 0 header_field=Name

Happy Splunking!

jwiley_splunk · ‎03-25-2019

That's almost perfect!

Is there a way to get the original labels back under the columns?

renjith_nair · ‎03-25-2019

@jwiley_splunk ,
Try this and select "stacked" in the format

 | Parent search query
 | table Name, (other fields)
 | eval _tmp=Name
 | chart count over Name by _tmp

Happy Splunking!

jwiley_splunk · ‎03-25-2019

You're a saint. Thank you so much Renjith!

Column chart based on field value, without everything being the "count" field

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms