All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Heat Map Viz Limitations

charithaa15
Engager
‎07-25-2019 12:23 PM

I am utilizing Heat Map Viz in Splunk to make dashboards for my company. I am having several limitations on this add-on app.

Limitation #1: Even though, it seems this options only accepts number values, I was wondering if there is another options name where I can enter a query as a conditional. For example, if result=”Failed” then color red, if result=”Success” then color green, default then color grey. This is what I am looking for.

...name="heat-map-viz.heat-map-viz.valHigh">result="Failed"
...name="heat-map-viz.heat-map-viz.valLow">result = "Success"
...name="heat-map-viz.heat-map-viz.valMedium">1

Limitation #2: These queries are another way to solve the problem, but they don’t run. Is there another syntax?

| timechart (count by result) by Jobname limit=100
(This query is not allowed by Splunk with the use of timechart)
| timechart list(result) by Jobname limit=100"

(Can't display using Heat Map, must use Tabular format to display

Question: Is there another visual that I could use to satisfy my project? Because I am trying to use two fields at the same time with one heat map and it doesn’t seem to be working. Thank you very much!

Reply

spavin
Path Finder
‎01-31-2020 04:03 PM

Hi @charithaa15,

I believe you can achieve the desired outcome using a slightly different search.

The viz only accepts numbers, so we need to convert "Failed" and "Success" to numbers. We can do that with an eval statement.

For example, have a look at the follwoing search.

This segment will give you some test data similar to your own data:

| gentimes start=-1 increment=1h
| rename starttime as _time
| eval "Jobname" = if(random()%2==0,"REQUEST_QUOTE_JOB","ADP_EMAIL_JOB"), "result" = if(random()%2==0,"Failed","Success")
| table _time, Jobname, result

This will convert Failed to 0 and Success to 1:

| eval result=if(result="Failed",0,1)

Now we can timechart:

| timechart sum(result) by Jobname limit=100
| fillnull

Putting it all together: :

| gentimes start=-1 increment=1h
| rename starttime as _time
| eval "Jobname" = if(random()%2==0,"REQUEST_QUOTE_JOB","ADP_EMAIL_JOB"), "result" = if(random()%2==0,"Failed","Success")
| table _time, Jobname, result
| eval result=if(result="Failed",0,1)
| timechart sum(result) by Jobname limit=100
| fillnull

The dashboard then shows this:
Heat Map View of Pass/Fail results

Cheers,
Daniel

Preview file
1 KB
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...