Splunk Search

How to display charts based on condition by some field

avni26
Explorer

Hi ,
I want to display two charts , one column and line chart in single panel based on condition.
For example, if result=found then column chart based on user for all months and when result="not found" then line chart based on user
My data is like,
Users result Jan Feb Mar Apr May Jun July .. Dec
ABC found 100 102 103 102 100 105 200... 70
ABC Not-Found 20 50 22 30 60 22 43 .... 10
XYZ found 120 80 70 ..........................................
XYZ Not-Found 24 30 15 .........................................

Now, want to display coulmn chart when result=found ,x-axis (Months) and in Y-axis (months Value) by Users and
in same panel want to show line chart when result=not found , ,x-axis (Months) and in Y-axis (months Value) by Users

Please suggest.

Tags (2)
0 Karma
1 Solution

to4kawa
Ultra Champion
| gentimes start=01/01/2019 
| rename starttime as _time 
| timechart span=1month count 
| eval time = strftime(_time ,"%b") 
| table time count 
| transpose 0 header_field=time column_name=Users 
| table Users Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 
| eval user=mvrange(0,4) 
| mvexpand user 
| foreach * [ eval <<FIELD>> = random() % 100 + 10]
| streamstats count 
| eval result=if(count % 2 = 1,"found","Not_Found") 
| eval Users=if(count <= 2,"ABC","XYZ") 
| table Users result Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
`comment("this is your sample. From here, the logic")`
| eval tmp=Users.":".result
| fields - Users result
| transpose 0 header_field=tmp column_name=month

Visualization >> Column Chart with overlay ABC:Not_Found and XYZ:Not_Found

Hi, folks. how about this?

View solution in original post

0 Karma

Taruchit
Contributor

Hi All,

How can we apply if else condition to following chart command such that if the value in a cell is 0, the cell is empty else it displays the cell content.

| chart sum(field1) OVER field2 BY field3

The above command gives a tabular result with field2 values on Y axis, field3 values on X axis, and sum(field1) data in cells for each field2 and field3. 

I want to keep the cells which evaluate to sum(field1)=0, but want to keep those cells empty.

Thank you

0 Karma

to4kawa
Ultra Champion
| gentimes start=01/01/2019 
| rename starttime as _time 
| timechart span=1month count 
| eval time = strftime(_time ,"%b") 
| table time count 
| transpose 0 header_field=time column_name=Users 
| table Users Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 
| eval user=mvrange(0,4) 
| mvexpand user 
| foreach * [ eval <<FIELD>> = random() % 100 + 10]
| streamstats count 
| eval result=if(count % 2 = 1,"found","Not_Found") 
| eval Users=if(count <= 2,"ABC","XYZ") 
| table Users result Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
`comment("this is your sample. From here, the logic")`
| eval tmp=Users.":".result
| fields - Users result
| transpose 0 header_field=tmp column_name=month

Visualization >> Column Chart with overlay ABC:Not_Found and XYZ:Not_Found

Hi, folks. how about this?

0 Karma

avni26
Explorer

@to4kawa Thanks, it worked perfectly as per my requirement.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You could use post process searches in your dashboard and feed 2 post process searches to each of the visualization.

Base search:

Your base search giving fields Users result Jan Feb...
| eval temp=Users."##".result | fields - Users result
| untable temp month valueForMonth
| rex field=temp "(?<Users>.+)##(?<result>.+)" | fields - temp
| stats sum(valueForMonth) as valueForMonth by month result

Post process 1 - for column chart

| where result="found" | table month valueForMonth

Post process 2 - for line chart

| where result="No-found" | table month valueForMonth

For example on how to write post process searches for dashboard, refer to this Splunk documentation:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Viz/Savedsearches#Examples_2 (first example is close to what you need)

0 Karma

13tsavage
Communicator

You do not want to chart individual users correct? Because that could be a MASSIVELY long chart if you have hundreds of users.

You just want a TOTAL COUNT of users found and not found?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...