Refine your search:

Cannot drill down because of post processing like eval or add total

1

Dear All
I need to make quite a lot of stacked bar chart for example "Top 20 WebUserAgent by country". Example of the BarChart the log is general apache log. and my search is

sourcetype="nswebapplog" (src_ip!=192.168. AND src_ip!=10.0.) status=200 useragent!="-" | lookup geoip clientip as src_ip | chart count by useragent1 client_country | addtotals | sort - Total | fields - Total | head 20

However If I do it like this it will prevent from drill down because of post process like eval or Addtotols.

Do anyone know how I can make stacked chart that I can drill down while still limit to top 10 or 20 output?

asked 29 Jun '11, 23:42

keiichilam's gravatar image

keiichilam
313
accept rate: 0%

Be the first one to answer this question!
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×192

Asked: 29 Jun '11, 23:42

Seen: 964 times

Last updated: 29 Jun '11, 23:42

Related questions

Unable to drill down when using post-reporting commands

PARSER: Applying intentions failed Unable to drilldown because of post-reporting 'eval' command (can't drill down in redirected flashtimeline)

drill down capability

Specify drill down search

Can force HTTP POST from module / drill down?

Post processing summarized data

Drill Down Not Showing Results

How can use to post process to drill down ?

Google Maps Drill Down by AreaCode_Exchange

Copyright © 2005-2012 Splunk Inc. All rights reserved.