Dashboards & Visualizations

Display multiple fields in a Bar or Pie Chart

jrevolorio
Explorer

I want to set up a Bar graph that displays more than just the count and 1 field (only when hovering over it). For example I use:

search | stats count by Risk

This shows me the risks I have for each event.

I use this search to see results for High medium and low risks for servers with vulnerabilities.

However if I use:

search | stats count by Risk, Servers

The bar graph looks really small and almost impossible to read since it's displaying all servers and risks.

How do I set it up so it displays just the risks on the actual graph BUT also shows me the servers if I hover over my mouse to that specific bar?

Tags (1)
0 Karma
1 Solution

niketnilay
Legend

@jrevolorio, Try to use the following query and create a stacked chart by editing from UI ... Format > General > Stacked Mode --> stacked or setting the following in Simple XML

<option name="charting.chart.stackMode">stacked</option>

Following are two versions of SPLs you can try

1) Sets servers as legend and give count of Risks as stacked chart.

<YourBaseSearch>
| chart count over Risk by Servers

2) Sets Risks as legend and give count of Servers for each Risk type as stacked chart.

<YourBaseSearch>
| chart count over Risk by Servers
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketnilay
Legend

@jrevolorio, Try to use the following query and create a stacked chart by editing from UI ... Format > General > Stacked Mode --> stacked or setting the following in Simple XML

<option name="charting.chart.stackMode">stacked</option>

Following are two versions of SPLs you can try

1) Sets servers as legend and give count of Risks as stacked chart.

<YourBaseSearch>
| chart count over Risk by Servers

2) Sets Risks as legend and give count of Servers for each Risk type as stacked chart.

<YourBaseSearch>
| chart count over Risk by Servers
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

lguinn2
Legend

AFAIK, there is no way to do that. But you could set up a custom drilldown such that when you click on a bar, another panel displays that shows the details.

You can see examples of this if you download the Splunk 6 Dashboards Examples app, which will also show you the code.
Or you can just look it up in the Dashboards and Visualizations manual (which I think is more work and less fun.) I have the app installed on my laptop, just so I can use it to figure out how to do cool stuff like this (and much more).

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.