ah! Thank you Thank you!
Last night I had came up with something similar to the above but without stats and didn't produce the results as yours did. I took what I had and combined it with yours and now have the following:
sourcetype=xxx_xxxx | eval inbound_avg_util = round(inbound_avg_util,2) | eval inbound_max_util = round(inbound_max_util,2)
| eval outbound_avg_util = round(outbound_avg_util,2)| eval outbound_max_util = round(outbound_max_util,2) |
stats avg(inbound_avg_util) AS A avg(inbound_max_util) AS B avg(outbound_avg_util) AS C avg(outbound_max_util) AS D by source
| eval range1=case(A >= 0 AND A <= 19, "0%-19%", A > 20 AND A <= 39,"20%-39%", A > 39 AND A <= 59, "40%-59%", A > 60 AND A <= 79, "60%-79%", A > 80, "80+%" )
| eval range2=case(B >= 0 AND B <= 19, "0%-19%", B > 20 AND B <= 39,"20%-39%", B > 39 AND B <= 59, "40%-59%", B > 60 AND B <= 79, "60%-79%", B > 80, "80+%" )
| eval range3=case(C >= 0 AND C <= 19, "0%-19%", C > 20 AND C <= 39,"20%-39%", C > 39 AND C <= 59, "40%-59%", C > 60 AND C <= 79, "60%-79%", C > 80, "80+%" )
| eval range4=case(D >= 0 AND D <= 19, "0%-19%", D > 20 AND D <= 39,"20%-39%", D > 39 AND D <= 59, "40%-59%", D > 60 AND D <= 79, "60%-79%", D > 80, "80+%" )
It's now producing the charts (stacked) by the source. Alot of sources (35).
Now I'm trying to figure out how to narrow down the charts (stacked) only on the ranges with four stacked charts. I thought there was a way to group field names into a new field using eval and/or rex and figured I could use the newly created field to chart on. Again I head down that path to eventually become confused. So time to step a way again and rethink and read some more. I'm thinking now this may require subsearches?? am I wrong or is there a better solution?
Basically the end results i'm shooting for would be four charts (stacked) inbound_avg_util, inbound_max_util, outbound_avg_util, outbound_max_util with the range results stacked. I know there's a way, just finding the right solution is the journey with Splunk.
Thanks again
... View more