Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Charts getting overlapped and doesnt display properly

asubramanian
Explorer
‎12-09-2019 12:36 PM

I am creating a chart based on a log message value which can have say around 4 value. below is a sample search query

index=_internal
"INFO  Metrics - group=search_health_metrics"
 | rex field=_raw "name=(?<metric_name>(\S+)),"
 | where isnotnull(metric_name)
 |  eval token_type=case(metric_name="compute_search_quota", "value1", metric_name="bundle_directory_reaper", "value2", metric_name="dispatch_directory_reaper", "value3", metric_name="distributed_peer_heartbeat", "value4")
 | eval _stat1=if(token_type="value1", 1, 0)
 | eval _stat2=if(token_type="value2", 1, 0)
 | eval _stat3=if(token_type="value3", 1, 0)
 | eval _stat4=if(token_type="value4", 1, 0)
 | stats sum(_stat1) as Stat1, sum(_stat2) as Stat2, sum(_stat3) as Stat3, sum(_stat4) as Stat4

The charts are showing up overlapped for ex, stat1 is getting displayed on top of stat2. but if I show as table the stats shows correctly.

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-13-2019 10:18 AM

Easy way:

index=_internal "INFO  Metrics - group=search_health_metrics" 
| rex field=_raw "name=(?<metric_name>(\S+))," 
| eval Stats=case(metric_name="compute_search_quota", "Stat1", metric_name="bundle_directory_reaper", "Stat2", metric_name="dispatch_directory_reaper", "Stat3", metric_name="distributed_peer_heartbeat", "Stat4",true(),NULL) 
| stats count by Stats

Temporary:

| makeresults 
| eval _raw="Stat1,Stat2,Stat3,Stat4
95329,9530,9530,47"
| multikv forceheader=1
| fields - _*, linecount
`comment("the logic is blow")`
| transpose 0
| rename "row 1" as count, column as stats

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-13-2019 10:18 AM

Easy way:

index=_internal "INFO  Metrics - group=search_health_metrics" 
| rex field=_raw "name=(?<metric_name>(\S+))," 
| eval Stats=case(metric_name="compute_search_quota", "Stat1", metric_name="bundle_directory_reaper", "Stat2", metric_name="dispatch_directory_reaper", "Stat3", metric_name="distributed_peer_heartbeat", "Stat4",true(),NULL) 
| stats count by Stats

Temporary:

| makeresults 
| eval _raw="Stat1,Stat2,Stat3,Stat4
95329,9530,9530,47"
| multikv forceheader=1
| fields - _*, linecount
`comment("the logic is blow")`
| transpose 0
| rename "row 1" as count, column as stats
Reply
Solved! Jump to solution

vnravikumar
Champion
‎12-13-2019 12:38 AM

Hi

What do you want to show in x-axis and y-axis?

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎12-10-2019 11:36 AM

Can you upload a screenshot of this?

0 Karma
Reply
Solved! Jump to solution

asubramanian
Explorer
‎12-12-2019 02:42 PM

@rich7177 Updated the query to use the internal logs and attached the chart I am seeing. In the image you can see stat1 & stat3 are overlapped, below table shows some data

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...