Dashboards & Visualizations

How can I create a Column chart with this information?

I have a search

index=metrics sourcetype=patch_report |table org, targeted, patched, patch_failed, percent_success

My intention is to show a column for each of these parameters and in the column the values. For example, org contains no numeric values - it contains Organization names. The others contains numerical values.

I dont know if I am using the best search by using table. I am new into Splunk and trying to learn.

0 Karma
1 Solution

Esteemed Legend

This will fake the data:

|noop|stats count as raw| eval raw="Force10 1,000 UKN UKN 0%::
   MFG Burn 535 UKN UKN 0%::
   M&A PG Labs 10,000 UKN UKN 0%::
   Enterprise Solutions Labs Unknown (UKN) UKN UKN 0%::
   Network 151 UKN UKN 0%::
   Software Group 1,230 UKN UKN 0%::
   Services Comp * 39,554 UKN UKN 0%::
   Make 16 16 0 100%::
   Aware 7 UKN UKN 0%::
   Final Overall - Non-Core 1,887 1,726 161 91%::
   Domain Controllers 334 310 24 93%::
   Compellent 96 96 0 100%::
   Final Overall \x96 Core 16,995 15,789 1,206 93%"
|makemv delim="::" raw | mvexpand raw | rename raw AS _raw

Then add this to do the work:

| rex "(?<org>.*?)\s+(?<targeted>\S+)\s+(?<patched>\S+)\s+(?<patch_failed>\S+)\s+(?<percent_success>\S+)$"
| table org targeted patched patch_failed percent_success
| foreach * [rex field=<<FIELD>> mode=sed "s/[,%()]//g"]

Just click on the "Visualization" tab and select Bar Chart or Column Chart.

View solution in original post

Esteemed Legend

This will fake the data:

|noop|stats count as raw| eval raw="Force10 1,000 UKN UKN 0%::
   MFG Burn 535 UKN UKN 0%::
   M&A PG Labs 10,000 UKN UKN 0%::
   Enterprise Solutions Labs Unknown (UKN) UKN UKN 0%::
   Network 151 UKN UKN 0%::
   Software Group 1,230 UKN UKN 0%::
   Services Comp * 39,554 UKN UKN 0%::
   Make 16 16 0 100%::
   Aware 7 UKN UKN 0%::
   Final Overall - Non-Core 1,887 1,726 161 91%::
   Domain Controllers 334 310 24 93%::
   Compellent 96 96 0 100%::
   Final Overall \x96 Core 16,995 15,789 1,206 93%"
|makemv delim="::" raw | mvexpand raw | rename raw AS _raw

Then add this to do the work:

| rex "(?<org>.*?)\s+(?<targeted>\S+)\s+(?<patched>\S+)\s+(?<patch_failed>\S+)\s+(?<percent_success>\S+)$"
| table org targeted patched patch_failed percent_success
| foreach * [rex field=<<FIELD>> mode=sed "s/[,%()]//g"]

Just click on the "Visualization" tab and select Bar Chart or Column Chart.

View solution in original post

Thank you very much! I trutly appreciate it.

0 Karma

SplunkTrust
SplunkTrust

Can you provide a few rows of these actual events? A half-dozen of those will go very far toward helping us help you!

0 Karma

Hello Rich7177,

Absolutely, thank you very much in advance, I will paste all the results, (they are not too much).

org targeted patched patch_failed percent_success
Force10 1,000 UKN UKN 0%
MFG Burn 535 UKN UKN 0%
M&A PG Labs 10,000 UKN UKN 0%
Enterprise Solutions Labs Unknown (UKN) UKN UKN 0%
Network 151 UKN UKN 0%
Software Group 1,230 UKN UKN 0%
Services Comp * 39,554 UKN UKN 0%
Make 16 16 0 100%
Aware 7 UKN UKN 0%
Final Overall - Non-Core 1,887 1,726 161 91%
Domain Controllers 334 310 24 93%
Compellent 96 96 0 100%
Final Overall \x96 Core 16,995 15,789 1,206 93%

So the parameters are: org, targeted, patched, patch_failed, and percent_success, and the values are the ones below that, I want to represend those values in Bars chart and below it the name of those parameters.

As I mentioned I am using search string:
index=metrics sourcetype=patch_report |table org, targeted, patched, patch_failed, percent_success

But, I dont know if the "Table" is the best function of this purpose or am I missing something else, I have seen this community complex searches and I know I might be probably missing a lot of stuff in the search string, but again I apologize if this is a dumb question, but I am still in the bottom of the knowledge curve.

Thank you very much in advance!

0 Karma

First three results:
org targeted patched patch_failed percent_success
Force 10 1,000 UKN UKN 0%
MFG Burn 535 UKN UKN 0%
M&A PG Labs 10,000 UKN UKN 0%

0 Karma

SplunkTrust
SplunkTrust

YOu need to provide more details on the data that you have. Does it come at certain interval? How many different Org values you've? Since you've more that one data point to show per Org, you'd probably need to use Stacked column chart.
https://docs.splunk.com/Splexicon:Stackmode

0 Karma

Thank you very much Somesoni, org is the only one that has no numerical values, all of the others have percentage values, Targeted, patched, patch_failed, and percent_success have numerical values and UKN which represent Unknown, I want to have a bar chart or whatever chart that represents each of my 5 parameters (org, targeted, patched, patch_failed and percent_success) with their values represented in bars or any other chart, I don't known if table is a good function since when transforming to the Dashboard chart only "org" is showed properly, all of the others are shown as a reference line only on the right but not showing the values of them, I don't know if I explained properly, but thank you very very much in advance!

0 Karma