All Apps and Add-ons

Heat Map Viz Limitations

charithaa15
Engager

I am utilizing Heat Map Viz in Splunk to make dashboards for my company. I am having several limitations on this add-on app.

Limitation #1: Even though, it seems this options only accepts number values, I was wondering if there is another options name where I can enter a query as a conditional. For example, if result=”Failed” then color red, if result=”Success” then color green, default then color grey. This is what I am looking for.

...name="heat-map-viz.heat-map-viz.valHigh">result="Failed"
...name="heat-map-viz.heat-map-viz.valLow">result = "Success"
...name="heat-map-viz.heat-map-viz.valMedium">1

Limitation #2: These queries are another way to solve the problem, but they don’t run. Is there another syntax?

| timechart (count by result) by Jobname limit=100
(This query is not allowed by Splunk with the use of timechart)
| timechart list(result) by Jobname limit=100"

(Can't display using Heat Map, must use Tabular format to display

Question: Is there another visual that I could use to satisfy my project? Because I am trying to use two fields at the same time with one heat map and it doesn’t seem to be working. Thank you very much!

spavin
Path Finder

Hi @charithaa15,

I believe you can achieve the desired outcome using a slightly different search.

The viz only accepts numbers, so we need to convert "Failed" and "Success" to numbers. We can do that with an eval statement.

For example, have a look at the follwoing search.

This segment will give you some test data similar to your own data:

| gentimes start=-1 increment=1h
| rename starttime as _time
| eval "Jobname" = if(random()%2==0,"REQUEST_QUOTE_JOB","ADP_EMAIL_JOB"), "result" = if(random()%2==0,"Failed","Success")
| table _time, Jobname, result

This will convert Failed to 0 and Success to 1:

| eval result=if(result="Failed",0,1)

Now we can timechart:

| timechart sum(result) by Jobname limit=100
| fillnull

Putting it all together: :

| gentimes start=-1 increment=1h
| rename starttime as _time
| eval "Jobname" = if(random()%2==0,"REQUEST_QUOTE_JOB","ADP_EMAIL_JOB"), "result" = if(random()%2==0,"Failed","Success")
| table _time, Jobname, result
| eval result=if(result="Failed",0,1)
| timechart sum(result) by Jobname limit=100
| fillnull

The dashboard then shows this:
Heat Map View of Pass/Fail results

Cheers,
Daniel

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...