Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you have 3 fields within a chart

zoebanning
Path Finder
‎11-07-2021 04:49 PM

Hi Splunk Community,

I was wondering if it was possible to have a chart that was made up from 3 fields.... 

I have already built a chart that has columns for each Account where each column is stacked with the Action -->  | chart count by Account, Action 


Can i break down into days using the _time field, so it counts by days?

 

Example of data:

_timeAccountAction
2021-10-20 10:04:03.778account1Delete
2021-10-21 11:04:03.778account2Write
2021-10-21 11:05:03.778account1Write

 

Thanks You,

Zoe 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bhargavi
Path Finder
‎11-15-2021 05:32 AM

Hi @zoebanning ,

 

  • Chart command does not allow more than 2 fields  in by clause
  • Timechart command does not allow more than 1 field  in by clause

    So here I have tried to display the possible values of account and action and merged them into 1 column, then used timechart command . 

    bhargavi_0-1636983082422.png



    bhargavi_1-1636983101981.png



    If this helps, give a thumbs-up 🙂

    Happy Splunking!!

View solution in original post

Reply
Solved! Jump to solution
Solution

bhargavi
Path Finder
‎11-15-2021 05:32 AM

Hi @zoebanning ,

 

  • Chart command does not allow more than 2 fields  in by clause
  • Timechart command does not allow more than 1 field  in by clause

    So here I have tried to display the possible values of account and action and merged them into 1 column, then used timechart command . 

    bhargavi_0-1636983082422.png



    bhargavi_1-1636983101981.png



    If this helps, give a thumbs-up 🙂

    Happy Splunking!!

Reply
Solved! Jump to solution

NobliX
Loves-to-Learn Everything
‎12-24-2022 03:57 AM

Regarding the chart. Is there a possibility to hide or remove a column in the column chart based on nullvalue. (The space created visually) ? As of now it is created spaces to 3 bars, thus its only displaying the value of given instance. 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...