- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Display multiple fields in a Bar or Pie Chart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to set up a Bar graph that displays more than just the count and 1 field (only when hovering over it). For example I use:
search | stats count by Risk
This shows me the risks I have for each event.
I use this search to see results for High medium and low risks for servers with vulnerabilities.
However if I use:
search | stats count by Risk, Servers
The bar graph looks really small and almost impossible to read since it's displaying all servers and risks.
How do I set it up so it displays just the risks on the actual graph BUT also shows me the servers if I hover over my mouse to that specific bar?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jrevolorio, Try to use the following query and create a stacked chart by editing from UI ... Format > General > Stacked Mode --> stacked or setting the following in Simple XML
<option name="charting.chart.stackMode">stacked</option>
Following are two versions of SPLs you can try
1) Sets servers as legend and give count of Risks as stacked chart.
<YourBaseSearch>
| chart count over Risk by Servers
2) Sets Risks as legend and give count of Servers for each Risk type as stacked chart.
<YourBaseSearch>
| chart count over Risk by Servers
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jrevolorio, Try to use the following query and create a stacked chart by editing from UI ... Format > General > Stacked Mode --> stacked or setting the following in Simple XML
<option name="charting.chart.stackMode">stacked</option>
Following are two versions of SPLs you can try
1) Sets servers as legend and give count of Risks as stacked chart.
<YourBaseSearch>
| chart count over Risk by Servers
2) Sets Risks as legend and give count of Servers for each Risk type as stacked chart.
<YourBaseSearch>
| chart count over Risk by Servers
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AFAIK, there is no way to do that. But you could set up a custom drilldown such that when you click on a bar, another panel displays that shows the details.
You can see examples of this if you download the Splunk 6 Dashboards Examples app, which will also show you the code.
Or you can just look it up in the Dashboards and Visualizations manual (which I think is more work and less fun.) I have the app installed on my laptop, just so I can use it to figure out how to do cool stuff like this (and much more).
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
