All Apps and Add-ons
Highlighted

How to generate a search for chart?

Communicator

I really like this add on.

Could you advise on how to generate data needed for dynamic updating. Using makeresults means you can't easily change what you are reporting on as figures need updating manually.

Many thanks

0 Karma
Highlighted

Re: How to generate a search for chart?

SplunkTrust
SplunkTrust

makeresults is generally used for demo purposes. You just write a search that reads your indexes and creates output records in the same format that the sample data has.

If you post a sample query of how you get the information you want to display, and the input format for the chart, then we can help you write the required search.

0 Karma
Highlighted

Re: How to generate a search for chart?

Splunk Employee
Splunk Employee

These are the required fields needed to power the viz.

https://github.com/sghaskell/custom-radar-chart-viz#required-fields

  • key
  • axis
  • value

Just make sure the output of the data looks similar to this. Note that keyColor is an optional field.

alt text

0 Karma
Highlighted

Re: How to generate a search for chart?

Communicator

I have found a solution (unfortunately just getting the output to match the required text didn't work for me as the number of lines in the graph will change and the fields involved will change so the output needs to be run as it's own query) - it needs two queries on a dashboard
The lookup is only needed if you are defining colours for the chart.

This query leaves you with a single value for a field called "base"

index="foo" Name="bar" NOT delta="epsilon*" Number !=""
|stats values(Number) as number by Date Description
|sort Date
|lookup data Date OUTPUT colour as hue
|eval niche=",".Description."=".number
|stats values(hue) as hue values(niche) as niche by Date
| nomv niche
|eval base= "| append[| makeresults |eval key=\"".Date."\" ".niche."| untable key,\"axis\",\"value\" | eval keyColor=\"".hue."\"]"
|stats values(base) as base
|mvcombine delim=" " base
|nomv base
|stats values(base)

You need to assign a token to the search:
set token="field_token">$result.base$

Then this query in the second panel which will be the chart:
|loadjob $field_token$

result.base only takes the first value for the field which is fine as all the results have been combined. I found it when looking into tokens and id's for searches (https://answers.splunk.com/answers/660087/why-is-the-token-resultfield-not-populating-as-def.html).

View solution in original post

0 Karma
Highlighted

Re: How to generate a search for chart?

SplunkTrust
SplunkTrust

@ChrisCLewis If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma