Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Constants in Splunk Bar Graph Charts

asarolkar
Builder
‎09-12-2012 12:54 PM

I have a query like this - which charts the number of grapes and pears in a fruit cart

sourcetype="fruitlog" type="pear" OR type="grape" | eval InStock=10 | chart first(InStock) as InStock,count(eval(type="pear")) AS numPears, count(eval(type="grape")) AS numGrapes

The InStock amount is the total number of fruits that is UNRELATED to the number of Pears and Grapes.

When I put this up on a dashboard, NO bar appears for the InStock Value of 10. I see numPears and I see numGrapes.

Any ideas so as to why this CONSTANT value would not display on a chart ? It might sound stupid to even have it there, but I need for it to show for comparison.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-12-2012 02:51 PM

Add this to the end of your search

 | transpose | rename "row 1" as count

The trick is to get your data in multiple rows, not across multiple columns.

You can also replace 'chart' with 'stats'

A neater search might be 

sourcetype="fruitlog" type="pear" OR type="grape"
| stats count by type 
| appendpipe [ head 1 | eval type="InStock" | eval count=10 | fields type count ]

The 1st 2 lines gets the count per type (which will graph as-is)

the last line just spoofs an entry for InStock

View solution in original post

Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎09-12-2012 02:51 PM

Add this to the end of your search

 | transpose | rename "row 1" as count

The trick is to get your data in multiple rows, not across multiple columns.

You can also replace 'chart' with 'stats'

A neater search might be 

sourcetype="fruitlog" type="pear" OR type="grape"
| stats count by type 
| appendpipe [ head 1 | eval type="InStock" | eval count=10 | fields type count ]

The 1st 2 lines gets the count per type (which will graph as-is)

the last line just spoofs an entry for InStock

Reply
Solved! Jump to solution

jonuwz
Influencer
‎09-12-2012 03:09 PM

yeah - i don't have your data, but this seems to be similar to what you're using :

index=_internal | eval instock=10 | stats first(instock) as instock count(eval(group=="pipeline")) as pipe count(eval(group=="queue")) as queue | transpose | rename "row 1" as count`

or

index=_internal group="pipeline" OR group="queue" | stats count by group | appendpipe [ head 1 | eval group="InStock" | eval count=10 | fields group count ]

Reply
Solved! Jump to solution

asarolkar
Builder
‎09-12-2012 03:02 PM

sourcetype="fruitlog" type="pear" OR type="grape" | eval InStock=10 | chart first(InStock) as InStock,count(eval(type="pear")) AS numPears, count(eval(type="grape")) AS numGrapes | transpose | rename "row 1" as count ???

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎09-12-2012 01:18 PM

It's not that it's a constant, it's that your search will generate one row with multiple columns and the first column will be the one used by the bar chart for the Y-axis label. Try removing the first part of your chart command and you'll see that numPears will disappear from the bar chart and instead be used as a label.

Reply
Solved! Jump to solution

asarolkar
Builder
‎09-12-2012 01:27 PM

So, how would you recommend I frame my search.

A timechart is not desired here but just a chart.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...