Archive
Highlighted

multiple bar charts from one search result table

New Member

Hi

I have a search that returns a table with 3 columns; the first column is the process name, the second is timestamps (say every 5 minutes for the last 4 hours), the third is the number of items in the queue for that process at that timestamp. I'd like to generate a separate bar chart for each of the processes (there can be 30 or more processes so generate that many small bar charts).

Can this be done or do I need over 30 searches or 30 filters against one search or some-such and genenrate a chart from each of those searches?

Thanks for any help you can give (we have Splunk Enterprise 6.5).

Bill

Tags (1)
0 Karma
Highlighted

Re: multiple bar charts from one search result table

Splunk Employee
Splunk Employee

I'd look into http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/Savedsearches#Post-process_searches where you have a base search that contains your "datacube" or all the results you want. Then define some postprocess searches that filter down to your processes. Afaik, there's no way in simplexml to spawn off multiple visualizations from one result set without postprocess. If there was a way to group the processes, that would cut down on the amount of filters needed, then you could show a bar chart with a group of say 5 processes or what have you.

0 Karma
Highlighted

Re: multiple bar charts from one search result table

Motivator

If you already have fields called process, myTime( 5minutes difference time over last four hours) , queue_item can you not try this and see if that's what you needed:

your query to return the process, myTime and queue_item
| chart count(queue_item) over myTime by process

Choose bar chart as the visualization option.

If the time division is not already done and you need to perform this 5 minute division first so just add earliest=-4h in the first line of search that you perform and later | bucket _time span=5m to divide _time in 5 minutes span to do similar charting further like:

your query to return the process and queue_item earliest=-4h
| bucket _time span=5m
| chart count(queue_item) over _time by process
0 Karma
Highlighted

Re: multiple bar charts from one search result table

New Member

Hi

Thanks for your help on this. In the end I used individual queries (mostly the same but '... | search process="process_name" ') for each bar chart on one dashboard. Not ideal but is working well.

Bill

0 Karma