All Apps and Add-ons

How to generate a search for chart?

ChrisCLewis
Communicator

I really like this add on.

Could you advise on how to generate data needed for dynamic updating. Using makeresults means you can't easily change what you are reporting on as figures need updating manually.

Many thanks

0 Karma
1 Solution

ChrisCLewis
Communicator

I have found a solution (unfortunately just getting the output to match the required text didn't work for me as the number of lines in the graph will change and the fields involved will change so the output needs to be run as it's own query) - it needs two queries on a dashboard
The lookup is only needed if you are defining colours for the chart.

This query leaves you with a single value for a field called "base"

index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)

You need to assign a token to the search:
set token="field_token">$result.base$

Then this query in the second panel which will be the chart:
|loadjob $field_token$

result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).

View solution in original post

0 Karma

ChrisCLewis
Communicator

I have found a solution (unfortunately just getting the output to match the required text didn't work for me as the number of lines in the graph will change and the fields involved will change so the output needs to be run as it's own query) - it needs two queries on a dashboard
The lookup is only needed if you are defining colours for the chart.

This query leaves you with a single value for a field called "base"

index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)

You need to assign a token to the search:
set token="field_token">$result.base$

Then this query in the second panel which will be the chart:
|loadjob $field_token$

result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@ChrisCLewis If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

These are the required fields needed to power the viz.

https://github.com/sghaskell/custom-radar-chart-viz#required-fields

  • key
  • axis
  • value

Just make sure the output of the data looks similar to this. Note that keyColor is an optional field.

alt text

0 Karma

DalJeanis
Legend

makeresults is generally used for demo purposes. You just write a search that reads your indexes and creates output records in the same format that the sample data has.

If you post a sample query of how you get the information you want to display, and the input format for the chart, then we can help you write the required search.

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...