How do I make a different bar chart for each day i...

sandeepmakkena · ‎10-10-2018

mysearch

| eval Status=if(like(_raw, "%POSTING:SUCCEEDED%"), "2.Successful transactions" , "1.Rejected Transactions") 
| timechart count by Status span=1hr | timewrap 1day

I am trying to compare today's total successful transactions and rejected transactions with past 2days, past3days...past7days. I am trying to use the above query, but it is getting me a separate bar graph from successful and rejected( I want them to be stacked) Please help me achieve this.
Thank you.,

Vijeta · ‎10-10-2018

You can change the format to stack mode from Visualization format.

sandeepmakkena · ‎10-10-2018

I tried that it didnot work. It is giving me a big bar graph will all days selected with different colors.

Vijeta · ‎10-10-2018

You need to combine last 2 days as one , you can do that by renaming and eval. Also since you are comparing current date with last 2 days
|rename "2.Successful transactions_1day_before" as Last_Success_1, rename "1.Rejected Transactions_1day_before" as Last_Rejected_1, "2.Successful transactions_2day_before" as Last_Success_2, rename "1.Rejected Ttransactions_2day_before" as Last_Rejected_2
|eval Last_Success=Last_Success_1 + Last_Success_2
|eval Last_Rejected= Last_Rejected_1 + Last_Rejected_2
| fields _time Last_Success Last_Rejected 2.Successful transactions_latest_day "1.Rejected Transactions_latest_day"

sandeepmakkena · ‎10-10-2018

Thanks for the info, but let’s say if I want to compare last 7days should I keep on renaming all the days If so I think there should be a better way. Thanks

How do I make a different bar chart for each day in a given timerange ?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?