All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Heat Map Viz Limitations

charithaa15
Engager
‎07-25-2019 12:23 PM

I am utilizing Heat Map Viz in Splunk to make dashboards for my company. I am having several limitations on this add-on app.

Limitation #1: Even though, it seems this options only accepts number values, I was wondering if there is another options name where I can enter a query as a conditional. For example, if result=”Failed” then color red, if result=”Success” then color green, default then color grey. This is what I am looking for.

...name="heat-map-viz.heat-map-viz.valHigh">result="Failed"
...name="heat-map-viz.heat-map-viz.valLow">result = "Success"
...name="heat-map-viz.heat-map-viz.valMedium">1

Limitation #2: These queries are another way to solve the problem, but they don’t run. Is there another syntax?

| timechart (count by result) by Jobname limit=100
(This query is not allowed by Splunk with the use of timechart)
| timechart list(result) by Jobname limit=100"

(Can't display using Heat Map, must use Tabular format to display

Question: Is there another visual that I could use to satisfy my project? Because I am trying to use two fields at the same time with one heat map and it doesn’t seem to be working. Thank you very much!

Reply

spavin
Path Finder
‎01-31-2020 04:03 PM

Hi @charithaa15,

I believe you can achieve the desired outcome using a slightly different search.

The viz only accepts numbers, so we need to convert "Failed" and "Success" to numbers. We can do that with an eval statement.

For example, have a look at the follwoing search.

This segment will give you some test data similar to your own data:

| gentimes start=-1 increment=1h
| rename starttime as _time
| eval "Jobname" = if(random()%2==0,"REQUEST_QUOTE_JOB","ADP_EMAIL_JOB"), "result" = if(random()%2==0,"Failed","Success")
| table _time, Jobname, result

This will convert Failed to 0 and Success to 1:

| eval result=if(result="Failed",0,1)

Now we can timechart:

| timechart sum(result) by Jobname limit=100
| fillnull

Putting it all together: :

| gentimes start=-1 increment=1h
| rename starttime as _time
| eval "Jobname" = if(random()%2==0,"REQUEST_QUOTE_JOB","ADP_EMAIL_JOB"), "result" = if(random()%2==0,"Failed","Success")
| table _time, Jobname, result
| eval result=if(result="Failed",0,1)
| timechart sum(result) by Jobname limit=100
| fillnull

The dashboard then shows this:
Heat Map View of Pass/Fail results

Cheers,
Daniel

Preview file
1 KB
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...