topic Re: Chart Multiple (4) Fields in Splunk Search

Chart Multiple (4) Fields

arielpconsolaci — Fri, 23 Jun 2017 04:18:15 GMT

Is it possible to create a chart out of 4 fields in Splunk?
I am trying to create a chart shown below but I was only able to using 3 fields (without the status). My given data have 4 fields. Any suggestions to this? Thanks in advance.

Re: Chart Multiple (4) Fields

inventsekar — Fri, 23 Jun 2017 04:30:49 GMT

may we know your current splunk search query..
you can do some split by or layered/multi-stack options I think.
one question - how status can be embedded on this chart - is a tricky issue.

Re: Chart Multiple (4) Fields

arielpconsolaci — Fri, 23 Jun 2017 04:37:06 GMT

Thank you for your response @inventsekar.

My query is as simple as below.

index=component_server
| timechart span=1m sum(No.) by Component
| fillnull value=0

Yes. I am having troubles incorporating the 'Status'. Can you advise on this?

Re: Chart Multiple (4) Fields

inventsekar — Fri, 23 Jun 2017 05:26:25 GMT

ok, please check this... as timechart by Status can be one idea.. please check the image.

sourcetype="csvtest" | timechart span=1m sum(No) by Status | fillnull value=0

Re: Chart Multiple (4) Fields

arielpconsolaci — Fri, 23 Jun 2017 07:08:44 GMT

Thank you for this, @inventsekar. However, i'd need a chart (based on component and status) close to the screenshot i've sent above.

Re: Chart Multiple (4) Fields

HeinzWaescher — Fri, 23 Jun 2017 07:18:17 GMT

What about something like:

index=component_server
| timechart span=1m sum(No.), values(status) AS status by component
| fillnull value=0

Re: Chart Multiple (4) Fields

arielpconsolaci — Fri, 23 Jun 2017 09:26:03 GMT

Thank you for this suggestion @HeinzWaescher. This however does not show the 'Status'.

Re: Chart Multiple (4) Fields

cmerriman — Fri, 23 Jun 2017 11:49:10 GMT

what version of splunk are you currently running? if you are on 6.6, i would recommend the new Trellis feature for this.

| makeresults |eval data="_time=1498217650,component=A,status=running,no=10 _time=1498217651,component=A,status=running,no=20 _time=1498217652,component=A,status=offline,no=10 _time=1498217653,component=A,status=online,no=30 _time=1498217650,component=B,status=running,no=20 _time=1498217651,component=B,status=offline,no=40 _time=1498217652,component=B,status=offline,no=10 _time=1498217653,component=B,status=running,no=40"|makemv data |mvexpand data|eval _raw=data|kv|eval _time=time|stats values(no) as no by _time component status|eval{status}=no|fields - status - no

you can split each component into its own chart with the same query. Splunk does not currently have a way, that I know of, to allow for multi-level x-axis, like Excel does, and the trellis feature is a close second.