All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Heat Map Viz Limitations

charithaa15
Engager
‎07-25-2019 12:23 PM

I am utilizing Heat Map Viz in Splunk to make dashboards for my company. I am having several limitations on this add-on app.

Limitation #1: Even though, it seems this options only accepts number values, I was wondering if there is another options name where I can enter a query as a conditional. For example, if result=”Failed” then color red, if result=”Success” then color green, default then color grey. This is what I am looking for.

...name="heat-map-viz.heat-map-viz.valHigh">result="Failed"
...name="heat-map-viz.heat-map-viz.valLow">result = "Success"
...name="heat-map-viz.heat-map-viz.valMedium">1

Limitation #2: These queries are another way to solve the problem, but they don’t run. Is there another syntax?

| timechart (count by result) by Jobname limit=100
(This query is not allowed by Splunk with the use of timechart)
| timechart list(result) by Jobname limit=100"

(Can't display using Heat Map, must use Tabular format to display

Question: Is there another visual that I could use to satisfy my project? Because I am trying to use two fields at the same time with one heat map and it doesn’t seem to be working. Thank you very much!

Reply

spavin
Path Finder
‎01-31-2020 04:03 PM

Hi @charithaa15,

I believe you can achieve the desired outcome using a slightly different search.

The viz only accepts numbers, so we need to convert "Failed" and "Success" to numbers. We can do that with an eval statement.

For example, have a look at the follwoing search.

This segment will give you some test data similar to your own data:

| gentimes start=-1 increment=1h
| rename starttime as _time
| eval "Jobname" = if(random()%2==0,"REQUEST_QUOTE_JOB","ADP_EMAIL_JOB"), "result" = if(random()%2==0,"Failed","Success")
| table _time, Jobname, result

This will convert Failed to 0 and Success to 1:

| eval result=if(result="Failed",0,1)

Now we can timechart:

| timechart sum(result) by Jobname limit=100
| fillnull

Putting it all together: :

| gentimes start=-1 increment=1h
| rename starttime as _time
| eval "Jobname" = if(random()%2==0,"REQUEST_QUOTE_JOB","ADP_EMAIL_JOB"), "result" = if(random()%2==0,"Failed","Success")
| table _time, Jobname, result
| eval result=if(result="Failed",0,1)
| timechart sum(result) by Jobname limit=100
| fillnull

The dashboard then shows this:
Heat Map View of Pass/Fail results

Cheers,
Daniel

Preview file
1 KB
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...