All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Heatmap - Tool, Query, and visualization options.

h52huang
Path Finder
‎06-04-2018 06:06 PM

I currently have a sample data table as below. I want to put it into a heatmap, where Date, TimeWindow, Sum as X, Y, and Z in the heatmap.
Date TimeWindow Sum
3/1/2018 20:20:00—20:40:00 5
3/3/2018 14:40:00—15:00:00 3
3/9/2018 23:20:00—23:40:00 0
3/23/2018 00:40:00—01:00:00 1

I downloaded this heatmap: https://splunkbase.splunk.com/app/3159/

Query I used: source blabla | table Date TimeWindow Sum
The heatmap I got was weird.
alt text

I looked at its sample data from "| inputlookup marx_counts.csv", the input data structure looks completely diffirent.

I think my query is wrong, but I couldn't find examples to refer to. Am I using the right Heatmap app, or would anyone suggest me changing to another Heatwave, or change my input data models...?

Thank you.

Preview file
1 KB
0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎06-05-2018 06:02 PM

Hello @h52huang,

Indeed, you need to do a bit more formatting before the heatmap will work. It sounds like you have 3 columns you want to use. Two of those columns need to be treated as categorical fields (in the sense that they are the row separations and the column separations). The third column, should be numeric of course.

Thankfully, you simply need to use the timechart command to get it into the right format.

index=_internal
| timechart span=10m count by component

Gives me a visualization like:

alt text

So in your situation, like you only need something like:

... base search
| chart sum(something) by Date TimeWindow

or something like

... base search
| chart first(sum) by Date TimeWindow
Preview file
1 KB
0 Karma
Reply

h52huang
Path Finder
‎06-08-2018 05:58 PM

Hi @aljohnson 🙂

Thanks a lot for helping. I have a few more questions please.

I tried with both
... base search
| chart sum(something) by Date TimeWindow
and
... base search
| chart sum(something) by TimeWindow, Date

The results are totally different for axis values.

by TimeWindow Date gave me:
x: 01:00:00-01:20:00
y: April 2006 (The value is weird, I suspect it was calculated and converted from my 2018-05-07
z: 12

while by Date TimeWindow gave me:
x: May 7 12h
y: 01:00:00-01:20:00
z: 12

I checked how the values look like in a table, they are completely ok. but I don't know why Y axis date string is automatically calculated and then into a date.
Is there a way for me to:
- Remove 12h in the Date field, and reserve Y axis field please?

Thank you so much

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎06-11-2018 12:35 PM

Hi @h52huang

Yes, you are correct, that the ordering of the fields with the chart command matters, and will produce different output. You can read more about the chart command here: http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Chart

Sound like Splunk might be automatically formatting a detected date? You can try adding some string to the beginning of the date to ensure that it isn't formatted, e.g.

| eval Date = "Date: ".Date or you can rename it to a different field possibly?

0 Karma
Reply

niketn
Legend
‎06-04-2018 10:16 PM

@aljohnson 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...