Dashboards & Visualizations

Dashboard - Spend Amount Over Time

Declan123
Explorer

Hi All,

I am trying to create a scatter dashboard or similar in Dashboard Studio to show debit transaction amounts over time.

A query like this works well in Search, but translates poorly to the dashboard:

source="Transaction File.csv" "Debit Amount"="*" | stats values("Debit Amount") BY "Posted Transactions Date"

Declan123_0-1723206084223.png

Declan123_1-1723206115278.png

I am aware I likely need to convert the the date from string format to date format within my search, something to the effect of:  |eval Date = strptime("Posted Transactions Date","%d/%m/%y")

But I am struggling to get the final result.

I have also played around with using the _time field instead of Posted Transaction Date  field and with timecharts without success which I think is likely also a formatting issue. 

Eg: 

source=source="Transaction File.csv" | timechart values("Debit Amount")

 

As there are multiple debit amount values per day in some cases, I would ideally like a 2nd similar dashboard that sums these debits per day instead of showing them as individual values whilst also removing 1 outlier debit amount value of 7000.

Struggling a bit with the required search(s) to get my desired dashboard results.

Any help would be appreciated, thank you!

 

 

 

 

Labels (4)
Tags (1)
0 Karma

Declan123
Explorer

Hi @PickleRick ,

Thank you for your reply.

I sorted the date format at the time of uploading the CSV as %d/%m/%Y. By doing this, all of _time events are not the same and are actually the date from the Posted Transactions Date field.

I figured it out in the end by realizing that a Scatter chart is not suitable for date values on the X axis so I changed it to a line chart, and used this search query:

index=main source="Transaction File.csv" | fields "Posted Transactions Date" _time "Debit Amount" "Spending Type" | timechart sum("Debit Amount")

 

Regarding your comment on quotes, I have noticed that comparing my searches to searches I have seen elsewhere. 

However I seem to need to use double quotation marks on fields. For example:

source="Transaction File.csv" 'Debit Amount'="*" (returns no events)

source="Transaction File.csv" Debit Amount="*" (returns no events)

However source="Transaction File.csv" "Debit Amount"="*" (returns all events)

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well, Splunk can be a bit inconsistent sometimes about using quotes. But when you're referencing something as an argument to the function (or a rvalue in an assignment), double quotes will mean that Splunk will use literal string.

So

| eval new_value="Posted Transaction Date"

Would yield a literal string, not the field contents. (Same with strptime arguments).

But yes, in other places that can be a bit unobvious which form to use at any given point.

PickleRick
SplunkTrust
SplunkTrust

For timechart to work you need to have reasonable _time field. I suppose that you ingested whole csv file at once and didn't properly parse the time from your data so your _time will be the same for all events, right?

The way around it would be to overwrite the _time field with the contents of your Posted Transaction Date

index=<yourindex> ...
| eval _time=strptime('Posted Transaction Date',"%proper%time%format")
| timechart values('Debit Amount')

Key thing here is specifying proper time format for the strptime command.

Also be cautious about using proper quotes.

0 Karma
Get Updates on the Splunk Community!

Notification Email Migration Announcement

The Notification Team is migrating our email service provider from Postmark to AWS Simple Email Service (SES) ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...