Bubble Chart - X, Y, Bubble size and category name

niyaz006 · ‎06-23-2019

I have created a bubble chart with X-axis value, Y-axis value and Bubble size. Each row is unique and they have a category name. Now I want to display the category name as the legend for each of the bubble.

Sample Data:
Region|ProductCount|Sales|Profit
North|10|1000|200
South|20|2000|250
East|15|1000|150
West|15|1000|300

X-axis = ProductCount
Y-axis = Sales
Bubble Size = Profit

I got until this. But I am not able to get Region as legend/color. The below code works without 'Region' in the table.

index=foo
| stats sum(ProductCount) as ProductCount, sum(Sales) as Sales, sum(Profit) as Profit by Region
| table Region, ProductCount, Sales, Profit

DavidHourani · ‎06-24-2019

Hi @niyaz006,

This is working for me :

| makeresults 
| eval A="North|10|1000|200###
South|20|2000|250###
East|15|1000|150###
West|15|1000|300###" 
| makemv delim="###" A 
| mvexpand A 
| rex field=A "^(?<Region>[^|]+)\|(?<ProductCount>[^|]+)\|(?<Sales>[^|]+)\|(?<Profit>[^|]+)"
| stats sum(ProductCount) as ProductCount, sum(Sales) as Sales, sum(Profit) as Profit by Region
| table Region, Sales, ProductCount, Profit

Could you try it and let me know if it works for you as well ?

Also you could replace stats with chart, still works the same way :

| makeresults 
| eval A="North|10|1000|200###
South|20|2000|250###
East|15|1000|150###
West|15|1000|300###" 
| makemv delim="###" A 
| mvexpand A 
| rex field=A "^(?<Region>[^|]+)\|(?<ProductCount>[^|]+)\|(?<Sales>[^|]+)\|(?<Profit>[^|]+)"
| chart sum(ProductCount) as ProductCount, sum(Sales) as Sales, sum(Profit) as Profit by Region
 | table Region, Sales, ProductCount, Profit

Cheers,
David

Bubble Chart - X, Y, Bubble size and category name

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...