topic Re: Splunk Search SPL in Splunk Enterprise

Splunk Search SPL

uagraw01 — Wed, 19 Apr 2023 07:26:22 GMT

Hello Splunkers !!

Below are the screenshot visualization we need to achieve through Splunk.

We need Ordertype on Yaxis, and cross Ailsle distance & time on Xaxis. Please let me know how can I use this in timechart command ?

Re: Splunk Search SPL

ITWhisperer — Wed, 19 Apr 2023 07:41:35 GMT

Without the SPL you already have, it is difficult to tell you what to change. However, assuming that you already have distance in one field (distance), order type in another field (type), and time in another field (_time), and that what you actually mean is distance on the Y-axis i.e. the measurement you are wanting to show, then try this

| timechart max(distance) as distance by type

Re: Splunk Search SPL

uagraw01 — Wed, 19 Apr 2023 07:48:20 GMT

@ITWhisperer Below are two fields as well as complete SPL

OrderType &CrossAisleDistance
=============================================

| datamodel ITconnection ThroughputReport flat
|search OrderStatus="Finished" AND OrderType IN(Storage, Transfer, Retrieval, "Sequenced retrieval", Relocate)
`convert_time_fields`
| search date_year="*" date_month="*" weeknum="*" day_week="*" date_hour="*" date_minute="*"
| fields _time OrderId OrderType LiftId EntryLocation LogicalDestination CrossAisleDistance ModuleId
| fillnull LiftId EntryLocation LogicalDestination value="Unknown"
| search LiftId IN("*") EntryLocation IN ("*") LogicalDestination IN ("*") | search OrderType IN("*")
| eval OrderType=if(OrderType="Sequenced retrieval","S_Ret", OrderType)
| chart count by CrossAisleDistance, OrderType limit=0
| addcoltotals labelfield=CrossAisleDistance label=Total
| eval Retrieval=if(isnull(Retrieval),0,Retrieval) , Storage=if(isnull(Storage),0,Storage) , Transfer=if(isnull(Transfer),0,Transfer), S_Ret=if(isnull(S_Ret),0,S_Ret), Relocate=if(isnull(Relocate),0,Relocate)
| eventstats last(Retrieval) as Ret, last(Storage) as store, last(Transfer) as Trans, last(S_Ret) as seqret, last(Relocate) as relo
| eval Relocate=if(isnotnull(Relocate),round((Relocate/(Ret+store+Trans+seqret+relo))*100,2),round((Relocate/relo)*100,2)), Retrieval=if(isnotnull(Retrieval),round((Retrieval/(Ret+store+Trans+seqret+relo))*100,2),round((Retrieval/Ret)*100,2)), Storage=if(isnotnull(Storage),round((Storage/(Ret+store+Trans+seqret+relo))*100,2), round((Storage/store)*100,2)), Transfer=if(isnotnull(Transfer),round((Transfer/(Ret+store+Trans+seqret+relo))*100,2), round((Transfer/Trans)*100,2)), SequencedRetrieval=if(isnotnull(S_Ret),round((S_Ret/(Ret+store+Trans+seqret+relo))*100,2),round((S_Ret/seqret)*100,2))
| where CrossAisleDistance!="Total"
| fields - Ret, store, Trans, S_Ret, seqret, relo

Re: Splunk Search SPL

uagraw01 — Wed, 19 Apr 2023 08:44:43 GMT

@ITWhisperer So far my visualization is looking as below. But I want time also in the x-axis

Re: Splunk Search SPL

ITWhisperer — Wed, 19 Apr 2023 10:14:41 GMT

After this point in your search

| chart count by CrossAisleDistance, OrderType limit=0

You no longer have _time available to you

Re: Splunk Search SPL

uagraw01 — Wed, 19 Apr 2023 10:26:25 GMT

@ITWhisperer I have used this in place of the "| chart count by CrossAisleDistance, OrderType limit=0" . But still is not giving the expected results

| bin _time span=1d
| stats count by CrossAisleDistance, OrderType _time
| xyseries CrossAisleDistance, OrderType _time

Re: Splunk Search SPL

ITWhisperer — Wed, 19 Apr 2023 10:44:16 GMT

What did you expect that command to do?

xyseries - Splunk Documentation

Splunk > Clara-fication: transpose, xyseries, untable, and More | Splunk

Re: Splunk Search SPL

uagraw01 — Wed, 19 Apr 2023 15:13:30 GMT

@ITWhisperer I am expecting order_type on y-axis and distance and time is on x-axis

Re: Splunk Search SPL

ITWhisperer — Wed, 19 Apr 2023 15:30:07 GMT

Axis are for "measuring" one thing at a time. Can you show a picture of what you are trying to achieve? Or perhaps, what it is that you intend the chart to be able to visualise?

Re: Splunk Search SPL

uagraw01 — Wed, 19 Apr 2023 15:40:05 GMT

@ITWhisperer In a very first screenshot I have pasted , that is the visualization which I want to achieve.

Re: Splunk Search SPL

ITWhisperer — Wed, 19 Apr 2023 15:42:22 GMT

Your pasted visualisation doesn't have two things on the x-axis - if you just want time on the x-axis, it has to be in the first column

Re: Splunk Search SPL

uagraw01 — Wed, 19 Apr 2023 15:46:08 GMT

Yes you are right. Now in your view can I achieve the same kind of visualization through Splunk ?

Re: Splunk Search SPL

ITWhisperer — Wed, 19 Apr 2023 15:52:30 GMT

| timechart count by OrderType