https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212597#M62285 <P>HI,<BR /> it works and i understand but higher manager doesn't understand this representation.</P> <P>is there any alternate way to represent</P> Tue, 03 Jan 2017 18:10:02 GMT rajgowd1 2017-01-03T18:10:02Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212591#M62279 <P>Hi,</P> <P>I have a search which displays content in a table format. Here is the search and I would like to show them in scatter chart or in D3.<BR /> <IMG src="https://docs.pivotal.io/pcf-metrics/1-2/images/events.png" alt="alt text" /></P> <PRE><CODE>index=myindex mess_type=OUT origin=* org_name=* env=* (app_name=cap-demo-test OR app_name=nem-cap-bat OR app_name=nem-cap-pag) | eval newmsg="UPDATE" | rex field=fullmsg "(?CRASHED|STARTED|STOPPED)" | table app_name, time, source_instance, newmsg | sort app_name, time, source_instance, newmsg </CODE></PRE> Tue, 03 Jan 2017 15:06:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212591#M62279 rajgowd1 2017-01-03T15:06:30Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212592#M62280 <P>Hi rajgowd1,<BR /> the best way to do what you want is to download and install the Splunk 6.x dashboard Examples App (<A href="https://splunkbase.splunk.com/app/1603/">https://splunkbase.splunk.com/app/1603/</A>), in which is fully described with an example how to create a scatter chart.<BR /> Bye.<BR /> Giuseppe</P> Tue, 03 Jan 2017 15:21:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212592#M62280 gcusello 2017-01-03T15:21:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212593#M62281 <P>Hi,<BR /> i gone through the dashboard examples but it does'not have the chart like i mentioned in my question.</P> <P>is there a way we can show time in x-axis and state in y-axis?</P> Tue, 03 Jan 2017 15:26:14 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212593#M62281 rajgowd1 2017-01-03T15:26:14Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212594#M62282 <P>Would using timechart work?</P> Tue, 03 Jan 2017 16:59:24 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212594#M62282 dbcase 2017-01-03T16:59:24Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212595#M62283 <P>HI,<BR /> here is the data i am displaying in table format.i can use timechart but it is not giving all below 4 fields in chart(any) format.</P> <P>can we represent below table in any kind of chart?</P> <P>app_name time source_instance newmsg<BR /> ccp-demo-test 2016-12-24T22:33:17Z 1 STOPPED<BR /> ccp-demo-test 2016-12-24T22:33:18Z 0 STARTED<BR /> ccp-demo-test 2016-12-25T17:48:03Z 1 STOPPED<BR /> ccp-demo-test 2016-12-25T17:48:04Z 2 STARTED<BR /> ccp-demo-test 2016-12-27T16:19:07Z 2 STOPPED</P> Tue, 29 Sep 2020 12:14:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212595#M62283 rajgowd1 2020-09-29T12:14:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212596#M62284 <P>What if you concatenated the four fields (or a subset)?</P> <P>i.e.</P> <PRE><CODE>eval variable1=field1." - ".field2 </CODE></PRE> <P>and then used variable1 as the group by with the timechart</P> <P>i.e.</P> <PRE><CODE>your search | timechart count by variable1 </CODE></PRE> <P>Would something like that work?</P> Tue, 03 Jan 2017 17:24:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212596#M62284 dbcase 2017-01-03T17:24:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212597#M62285 <P>HI,<BR /> it works and i understand but higher manager doesn't understand this representation.</P> <P>is there any alternate way to represent</P> Tue, 03 Jan 2017 18:10:02 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212597#M62285 rajgowd1 2017-01-03T18:10:02Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212598#M62286 <P>Hmmmm well a couple of thoughts</P> <P>Have you tried formatting the timechart as a multi-series? This way each series is on a chart of it's own. Might be easier to understand that way.</P> <P>Another option would be to try a Horizon Chart (its a Splunkbase add on - <A href="https://splunkbase.splunk.com/app/3117/">https://splunkbase.splunk.com/app/3117/</A>)</P> <P>What is it in particular that the manager doesn't understand?</P> Tue, 03 Jan 2017 18:23:23 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212598#M62286 dbcase 2017-01-03T18:23:23Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212599#M62287 <P>HI,thanks for your response.<BR /> i tried multi-series.its better now.</P> <P>and i tried Horizon chart but they were using search something like timechart useother="f" span=1d limit=10 latest(open) by ticker_symbol</P> <P>but i am not sure how can i write my query to fit into horizon chart.</P> Tue, 03 Jan 2017 19:12:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212599#M62287 rajgowd1 2017-01-03T19:12:48Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212600#M62288 <P>Yea that is one limitation of the Horizon chart, it will only graph 10 Y axis values.</P> <P>Glad to hear multi-series helped!!!</P> Tue, 03 Jan 2017 20:09:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212600#M62288 dbcase 2017-01-03T20:09:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212601#M62289 <P>thank you.i do not see accept button.<BR /> where can i accept this answer?</P> Tue, 03 Jan 2017 20:14:07 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212601#M62289 rajgowd1 2017-01-03T20:14:07Z https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212602#M62290 <P>Just converted it to an answer</P> Tue, 03 Jan 2017 20:22:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-display-the-content-from-my-search-results-table-in-a/m-p/212602#M62290 dbcase 2017-01-03T20:22:37Z