- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to create bar chart with time & total amount?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create bar chart with time & total amount?
Under event column, i have these two values:
field_01 field_02
20180524110001 7452
20180524100001 7405
20180524090001 7276
How do I turn them into a bar chart with x-axis = time(per hour) & y-axis= field_02?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your _time field value corresponds to your fields_01, then you can do something like this
your current search which includes _time field_01 field_02
| timechart span=1h count by field_02
If its's not and you want to use field_01 value as time, then you can do something like this
your current search which includes _time field_01 field_02
| eval _time=strptime(field_01,"%Y%m%d%H%M%S") | timechart span=1h count by field_02
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the quick response.
but the value of the field_02 is already the total count.
hence is it still possible to plot a bar chart with field_01 & field_02?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then try to use last() instead of sum(), or use max()...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@hkchew, the values in your question i.e. field_o1 and field_02 are present in your raw events or are generated using Splunk search with some transforming command? The reason why I ask is if you have already used some statistical commands to generate the table, then there might be a possibility to format the results as needed up-front. If they are as they appear in the raw events then you can try the following:
<yourBaseSearch>
| eval _time=strptime(field_01,"%Y%m%d%H%M%S")
| timechart span=1h sum(field_02) as Total
Following is the run anywhere search based on sample data provided:
| makeresults
| eval data="20180524110001 7452;20180524100001 7405;20180524090001 7276"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" "
| eval field_01=mvindex(data,0), field_02=mvindex(data,1)
| fields - data
| eval _time=strptime(field_01,"%Y%m%d%H%M%S")
| timechart span=1h sum(field_02) as Total
@somesoni2, I think sum(field_02) as Total aggregate should be used instead of count by field_02 as field_02 already has the count.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay it works perfectly but the chart only shows the past records/figures.
how can i show the most recent records/figures on the chart?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@hkchew try sum(field_02) as per my comment above.
| makeresults | eval message= "Happy Splunking!!!"
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
