All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can I use icons dynamically without a lookup? Flow Map Viz

bimord
Path Finder
‎03-15-2020 09:10 PM

I am trying to use the Flow Viz Map app with dynamic values utilizing the icons but am having...

This is what I have so far (only drawing one 'tablet' OR the 2 'database' elements but not both and no flow is visable):

index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval path=if(like(host,"business%"),"BEL---"+host,"")
| eval node="BEL" how do I add more than one node?
| eval icon=if(match(node,"BEL"),"tablet","database")
| table path node good warn error icon

This second query returns correct results but with no icons:

index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| table to from good warn error
no icons

Any help would be appreciated 🙂

Thank you @chrisyoungerjds for your help - I was able to achieve these results with your help 🙂
with icons

Preview file
7 KB
Preview file
22 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-15-2020 09:19 PM

Hi @Bimord

I can appreciate that this is quite confusing, but you need to output two different "types" of rows. The path rows and the node rows. So your query here is going to create "path rows" 

index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| table to from good warn error

So you then need to add on the node rows. One way to do that, is a query like so:

| makeresults
| eval raw = "
node=BEL label=\"My Bel\" icon=users labely=30 height=40  ### 
node=host1 icon=tablet labely=30 height=40  ### 
node=host2 icon=database labely=30 height=40 "
| makemv delim="###" raw
| mvexpand raw 
| rename raw  as  _raw 
| extract
| table node label icon labely height

and finally combine both queries together like so:

index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| append [| makeresults
| eval raw = "node=BEL label=\"My label\" icon=users labely=30 height=40  ### 
    node=host1 icon=tablet labely=30 height=40  ### 
    node=host2 icon=database labely=30 height=40 "
    | makemv delim="###" raw
    | mvexpand raw 
    | rename raw  as  _raw 
    | extract ]
| table to from good warn error node icon labely label height

Hope this helps,
Chris

View solution in original post

Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-15-2020 09:19 PM

Hi @Bimord

I can appreciate that this is quite confusing, but you need to output two different "types" of rows. The path rows and the node rows. So your query here is going to create "path rows" 

index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| table to from good warn error

So you then need to add on the node rows. One way to do that, is a query like so:

| makeresults
| eval raw = "
node=BEL label=\"My Bel\" icon=users labely=30 height=40  ### 
node=host1 icon=tablet labely=30 height=40  ### 
node=host2 icon=database labely=30 height=40 "
| makemv delim="###" raw
| mvexpand raw 
| rename raw  as  _raw 
| extract
| table node label icon labely height

and finally combine both queries together like so:

index=main sourcetype="*:application"
| stats sum(eval(event_severity_code="SUCCESS")) as good
sum(eval(event_severity_code="ERROR")) as errors
sum(eval(event_severity_code="WARNING")) as warn by host
| eval to=host, from="BEL"
| append [| makeresults
| eval raw = "node=BEL label=\"My label\" icon=users labely=30 height=40  ### 
    node=host1 icon=tablet labely=30 height=40  ### 
    node=host2 icon=database labely=30 height=40 "
    | makemv delim="###" raw
    | mvexpand raw 
    | rename raw  as  _raw 
    | extract ]
| table to from good warn error node icon labely label height

Hope this helps,
Chris

Reply
Solved! Jump to solution

bimord
Path Finder
‎03-15-2020 09:50 PM

Hi Chris -- Thanks for the speedy response

The problem there is that the names of the hosts are often cycling so can't be hardcoded into a raw like that. Is it possible to do something like 

... | eval raw = "node=BEL label=\"My label\" icon=users labely=30 height=40  ### 
 node=" + host + " icon=tablet labely=30 height=40 "
0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-15-2020 10:16 PM

Yep sorry I should have given you a better example. Try something like this:

index=main sourcetype="*:application"
 | stats sum(eval(event_severity_code="SUCCESS")) as good
 sum(eval(event_severity_code="ERROR")) as errors
 sum(eval(event_severity_code="WARNING")) as warn by host
 | eval to=host, from="BEL"
 | append [ search index=main sourcetype="*:application" | stats count by host | eval icon = "tablet" | rename host as node | table node icon ]
 | table to from good warn error node icon
Reply
Solved! Jump to solution

bimord
Path Finder
‎03-15-2020 10:21 PM

Thankyou Chris -- this is perfect 🙂

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-15-2020 10:24 PM

Good one. Glad it solved your problem.

0 Karma
Reply
Solved! Jump to solution

bimord
Path Finder
‎03-15-2020 10:27 PM

I used both your solutions in the one to get the output i was hoping for 🙂

index=main sourcetype="*:application" 
      |  stats sum(eval(event_severity_code="SUCCESS")) as good sum(eval(event_severity_code="ERROR")) as errors sum(eval(event_severity_code="WARNING")) as warn by host 
            | eval from=host, to="BEL"
            | append 
              [| makeresults 
                | eval raw = "node=BEL label=\"BEL\" icon=cog" 
                | makemv delim="###" raw 
                | mvexpand raw 
                | rename raw as _raw 
                | extract ] 
            | append 
              [ search index=main sourcetype="*:application" 
                | stats count by host 
                | eval icon = "tablet" 
                | rename host as node 
                | table node icon ] 
            | table to from good warn error node icon label
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...