All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Heat Map Viz Limitations

charithaa15
Engager
‎07-25-2019 12:23 PM

I am utilizing Heat Map Viz in Splunk to make dashboards for my company. I am having several limitations on this add-on app.

Limitation #1: Even though, it seems this options only accepts number values, I was wondering if there is another options name where I can enter a query as a conditional. For example, if result=”Failed” then color red, if result=”Success” then color green, default then color grey. This is what I am looking for.

...name="heat-map-viz.heat-map-viz.valHigh">result="Failed"
...name="heat-map-viz.heat-map-viz.valLow">result = "Success"
...name="heat-map-viz.heat-map-viz.valMedium">1

Limitation #2: These queries are another way to solve the problem, but they don’t run. Is there another syntax?

| timechart (count by result) by Jobname limit=100
(This query is not allowed by Splunk with the use of timechart)
| timechart list(result) by Jobname limit=100"

(Can't display using Heat Map, must use Tabular format to display

Question: Is there another visual that I could use to satisfy my project? Because I am trying to use two fields at the same time with one heat map and it doesn’t seem to be working. Thank you very much!

Reply

spavin
Path Finder
‎01-31-2020 04:03 PM

Hi @charithaa15,

I believe you can achieve the desired outcome using a slightly different search.

The viz only accepts numbers, so we need to convert "Failed" and "Success" to numbers. We can do that with an eval statement.

For example, have a look at the follwoing search.

This segment will give you some test data similar to your own data:

| gentimes start=-1 increment=1h
| rename starttime as _time
| eval "Jobname" = if(random()%2==0,"REQUEST_QUOTE_JOB","ADP_EMAIL_JOB"), "result" = if(random()%2==0,"Failed","Success")
| table _time, Jobname, result

This will convert Failed to 0 and Success to 1:

| eval result=if(result="Failed",0,1)

Now we can timechart:

| timechart sum(result) by Jobname limit=100
| fillnull

Putting it all together: :

| gentimes start=-1 increment=1h
| rename starttime as _time
| eval "Jobname" = if(random()%2==0,"REQUEST_QUOTE_JOB","ADP_EMAIL_JOB"), "result" = if(random()%2==0,"Failed","Success")
| table _time, Jobname, result
| eval result=if(result="Failed",0,1)
| timechart sum(result) by Jobname limit=100
| fillnull

The dashboard then shows this:
Heat Map View of Pass/Fail results

Cheers,
Daniel

Preview file
26 KB
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...