All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a search for chart?

ChrisCLewis
Communicator
‎09-05-2019 02:20 AM

I really like this add on.

Could you advise on how to generate data needed for dynamic updating. Using makeresults means you can't easily change what you are reporting on as figures need updating manually.

Many thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ChrisCLewis
Communicator
‎09-09-2019 02:35 AM

I have found a solution (unfortunately just getting the output to match the required text didn't work for me as the number of lines in the graph will change and the fields involved will change so the output needs to be run as it's own query) - it needs two queries on a dashboard
The lookup is only needed if you are defining colours for the chart.

This query leaves you with a single value for a field called "base"

index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)

You need to assign a token to the search:
set token="field_token">$result.base$

Then this query in the second panel which will be the chart:
|loadjob $field_token$

result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ChrisCLewis
Communicator
‎09-09-2019 02:35 AM

I have found a solution (unfortunately just getting the output to match the required text didn't work for me as the number of lines in the graph will change and the fields involved will change so the output needs to be run as it's own query) - it needs two queries on a dashboard
The lookup is only needed if you are defining colours for the chart.

This query leaves you with a single value for a field called "base"

index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)

You need to assign a token to the search:
set token="field_token">$result.base$

Then this query in the second panel which will be the chart:
|loadjob $field_token$

result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2019 04:54 AM

@ChrisCLewis If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

shaskell_splunk
Splunk Employee
Splunk Employee
‎09-05-2019 11:46 AM

These are the required fields needed to power the viz.

https://github.com/sghaskell/custom-radar-chart-viz#required-fields

  • key
  • axis
  • value

Just make sure the output of the data looks similar to this. Note that keyColor is an optional field.

alt text

0 Karma
Reply
Solved! Jump to solution

DalJeanis
SplunkTrust
SplunkTrust
‎09-05-2019 08:00 AM

makeresults is generally used for demo purposes. You just write a search that reads your indexes and creates output records in the same format that the sample data has.

If you post a sample query of how you get the information you want to display, and the input format for the chart, then we can help you write the required search.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...