Hi,
My requirement is i have given user to choose 2 dates and depending on the dates chosen i need to show pie chart so that the user can see the difference of count from Date1 to Date2.
Here is the query am using now. and i am showing that in two different panels. But it would be better if i can compare using same panel same graph.
Note: Dates are not a range.
Example: Date1 = 20/09/2019 and Date2 = 17/10/2019
index="compliance_sum" | table name result ruleName |appendpipe[lookup netshot.csv Nom as name OUTPUT "Infrastrucure Name" teamInCharge] |table name result ruleName "$infraname$" teamInCharge |search "Infrastrucure Name"="FRA-SWING" |search teamInCharge="$team$"| search result="NONCONFORMING" | eval templateType=macro_template
| where result="NONCONFORMING" | stats count by teamInCharge templateType | eval teamInCharge=teamInCharge." : ".count
Thanks
Try pulling the date out of the _time field and stripping out everything that isn't those two dates.
You will need to set your earliest/lasted to be outside of your 2 date ranges for it to work.
Then If you add the date to your stats you can use a Trellis split by date to get your two charts
index="compliance_sum"
| eval date = strftime(_time,"%d/%m/%Y")
| search date=Date1 OR date=Date2
| table name result ruleName
| appendpipe
[ lookup netshot.csv Nom as name OUTPUT "Infrastrucure Name" teamInCharge]
| table name result ruleName "$infraname$" teamInCharge
| search "Infrastrucure Name"="FRA-SWING"
| search teamInCharge="$team$"
| search result="NONCONFORMING"
| eval templateType=`macro_template`
| where result="NONCONFORMING"
| stats count by teamInCharge templateType date
| eval teamInCharge=teamInCharge." : ".count
Try pulling the date out of the _time field and stripping out everything that isn't those two dates.
You will need to set your earliest/lasted to be outside of your 2 date ranges for it to work.
Then If you add the date to your stats you can use a Trellis split by date to get your two charts
index="compliance_sum"
| eval date = strftime(_time,"%d/%m/%Y")
| search date=Date1 OR date=Date2
| table name result ruleName
| appendpipe
[ lookup netshot.csv Nom as name OUTPUT "Infrastrucure Name" teamInCharge]
| table name result ruleName "$infraname$" teamInCharge
| search "Infrastrucure Name"="FRA-SWING"
| search teamInCharge="$team$"
| search result="NONCONFORMING"
| eval templateType=`macro_template`
| where result="NONCONFORMING"
| stats count by teamInCharge templateType date
| eval teamInCharge=teamInCharge." : ".count