I have an upper limit in one field, a lower limit in another field, and actual data in a third field. How do I include the upper and lower limits as part of the actual data so that I can use the chart command showing the actual data between the limits. Using MVJOIN or MVZIP or MVAPPEND will not work because these perform concatenation... I do not need concatenation, I need inclusion.
What say you?
@Lynyrd, seems like you are using Trellis
Layout. Just turn it off
using the Trellis option as available in your sample screenshot and there should be single chart with three series.
PS: Splunk does provide an option for developers to write custom search commands and also the option to create custom visualization in case current SPL or built in visualizations/custom visualizations available on Splunkbase do not suit your needs.
I don't quite understand what you mean when you say you need inclusion. If you'd like to compare the value in a field called actual_data
to the values in fields called upper_limit
and lower_limit
, you could do this:
your search that leaves you with actual_data, upper_limit, and lower_limit
| where lower_limit<=actual_data AND actual_data<=upper_limit
But I'm not sure that's what you're trying to do. Can you explain more?
sourcetype=mfgtestengsoftware | search "Result Logged" "Results{}.Pass"=true "B1611" "CCS" "33.[113.1] TP201 TO DGND_LF_PH" | spath Results{}.Minimum | spath Results{}.Maximum | rename Results{}.Maximum AS Maximum | rename Results{}.Minimum AS Minimum | spath Results{}.Actual | rename Results{}.Actual AS Actual | eval Actual = Round(Actual) | chart count over Actual
Minimum is the lower limit & Maximum is the upper limit, they are in different fields than the Actual field. So when I use the chart command above "chart count over Actual" the upper and lower limits are not in the plot. I need to get the values of Minimum and Maximum "INCLUDED" into the bins of the actual data so that when the plot is printed on the screen I can SEE the lower and upper limits along with or included with the Actual data.
I'm thinking maybe what you want are chart overlays. Do the examples on these pages look like what you want?
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchTutorial/Chartoverlays
http://docs.splunk.com/Documentation/SplunkCloud/latest/Viz/Chartcontrols#Chart_overlay
WOW... chart overlay very confusing example. It would be nice if the SPLUNK community could create a simple to use command called "dInclude(X,Y)" meaning data include. The meaning here is that Field X is included into field Y... so that when someone uses "chart count over Y" the data that was in X field is now part of the Y field ... like as if the Y field has adopted the X field. Now X and Y are treated as one field and all the data can be plotted together on the same X axis.
How about this? You should get 3 lines (assuming you're using line chart) once for count of actual, and one each for Minimum and Maximum for that actual.
sourcetype=mfgtestengsoftware | search "Result Logged" "Results{}.Pass"=true "B1611" "CCS" "33.[113.1] TP201 TO DGND_LF_PH" | spath Results{}.Minimum | spath Results{}.Maximum | rename Results{}.Maximum AS Maximum | rename Results{}.Minimum AS Minimum | spath Results{}.Actual | rename Results{}.Actual AS Actual | eval Actual = Round(Actual) | chart count min(Minimum) as Minimum max(Maximum) as Maximum over Actual
that code gave me three individual plots. I need Min Max and Actual to all be on the same plot.
I would include a picture but I don't have enough karma points.
Getting that format will be tricky. What type of value does that Actual field have? Can you provide some sample output from above query (the table that you get)?