Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get a Line Chart with 3 Split by Clauses?

mstark31
Path Finder
‎07-19-2017 12:52 PM

I have a set of lab samples that have a Percent value measured in 3 different locations across the sample, identified as A, B, and C. Each sample is also associated with a different style.

My end goal is to have a line chart with SampleID on the x-axis and Pct on the y-axis with a set 3 different data series for each of the locations A, B, and C for each style. (So Style1PctA, Style1PctB, Style1PctC, Style2PctA, Style2PctB, Style2PctC,...)
Then, I want to use Trellis view to separate by Style, so I'd have a graph with the series for A, B, and C for each Style.

My search is as follows:

| stats avg(Pct) as Pct by SampleID, Location, Style

which of course gives me a table that contains the following fields: SampleID, Location, Style, Pct.
This results in a graph with 3 series: Location, Style, and Pct, but Pct is the only one that shows up on the graph and there is no differentiation by Location or Style.
From there, I can Trellis by Style, but there is no differentiation by Location.

I know that I can accomplish this by doing a separate search (or using a token) to filter by Style before graphing, but then I have to hard-code each of my Styles into either an input on a dashboard, or a series of graphs.

| search Style=123
| stats avg(Pct) as Pct by SampleID, Location

Is there a better way to accomplish this?

Reply

mstark31
Path Finder
‎07-19-2017 01:17 PM

That second block of code should say chart on line 2 instead of stats

0 Karma
Reply

somesoni2
Revered Legend
‎07-19-2017 01:00 PM

GIve this a try

....| stats avg(Pct) as Pct by SampleID, Location, Style | eval Loc_Style=Location.":".Stype
| chart avg(Pct) over SampleID by Loc_Style
0 Karma
Reply

mstark31
Path Finder
‎07-19-2017 01:14 PM

Thank you. While this does work to get all the data series on a single chart, it does not work if I want to do a trellis view separating by Style.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...