Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you create a line graph which shows 3 values?

QuintonS
Path Finder
‎10-19-2018 06:22 AM

Rookie Question: I am trying to create a line graph showing 3 values. i have the query which works perfectly to show "ratings" per site for each site per week. But i want to show the overall rating for both sites as well.

here is the query i use..

| eval week=relative_time(_time,"@w1")
| eval week=strftime(week,"%V")
| chart avg(overall_rating) over week by area

area= field name and contains values for 2 sites. if i remove "by area" then i get the overall rating for both sites and i want to get that showing in the same graph.

please help a newbie!! 🙂

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎10-19-2018 07:27 AM

@QuintonS,

If are looking for just total over week then, try

| eval week=relative_time(_time,"@w1")
| eval week=strftime(week,"%V")
| chart avg(overall_rating) over week by area
| addtotals

Updated:

  | eval week=relative_time(_time,"@w1")
  | eval week=strftime(week,"%V")
  | eventstats avg(overall_rating) as OVERALL_RATING
  | chart avg(overall_rating),max(OVERALL_RATING) as OVERALL_RATING over week by area
  | rename "avg(overall_rating): *" as *,"OVERALL_RATING : *" as DEL*|foreach DEL*[eval OVERALL_RATING =<<FIELD>>]|fields - DEL*
Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎10-19-2018 07:27 AM

@QuintonS,

If are looking for just total over week then, try

| eval week=relative_time(_time,"@w1")
| eval week=strftime(week,"%V")
| chart avg(overall_rating) over week by area
| addtotals

Updated:

  | eval week=relative_time(_time,"@w1")
  | eval week=strftime(week,"%V")
  | eventstats avg(overall_rating) as OVERALL_RATING
  | chart avg(overall_rating),max(OVERALL_RATING) as OVERALL_RATING over week by area
  | rename "avg(overall_rating): *" as *,"OVERALL_RATING : *" as DEL*|foreach DEL*[eval OVERALL_RATING =<<FIELD>>]|fields - DEL*
Happy Splunking!
Reply
Solved! Jump to solution

QuintonS
Path Finder
‎10-19-2018 07:35 AM

Hi Renjith, not looking for the totals.

output i want should look like the following.

Week, Site1, Site2, Overall rating

hope this makes sens?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
SplunkTrust
SplunkTrust
‎10-19-2018 07:41 AM

So is it not Site1_Rating+Site2_Rating? May be a sample data will be helpful. Sorry for that.

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

QuintonS
Path Finder
‎10-19-2018 07:49 AM

i need to provide average of ratings for the client. so i have daily data with a "overal_rating" field. and i also have data per site. So i need to show average overall rating and average overall rating per site in the same graph. cant share sample data unfortunatley..

0 Karma
Reply
Solved! Jump to solution

renjith_nair
SplunkTrust
SplunkTrust
‎10-19-2018 08:14 AM

Okie, calculate this value before chart and add it in chart

 | eval week=relative_time(_time,"@w1")
 | eval week=strftime(week,"%V")
 | eventstats avg(overall_rating) as OVERALL_RATING
 | chart avg(overall_rating),max(OVERALL_RATING) as OVERALL_RATING over week by area
Happy Splunking!
Reply
Solved! Jump to solution

renjith_nair
SplunkTrust
SplunkTrust
‎10-19-2018 08:16 AM

Added little clean up 🙂

    |rename "avg(overall_rating): *" as *,"OVERALL_RATING : *" as DEL*|foreach DEL*[eval OVERALL_RATING =<<FIELD>>]|fields - DEL*
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

QuintonS
Path Finder
‎10-19-2018 08:32 AM

This is very close, need to do some tweeks. seems to be working.

Thanks so much for the help! 🙂

0 Karma
Reply
Solved! Jump to solution

renjith_nair
SplunkTrust
SplunkTrust
‎10-19-2018 09:05 AM

You are welcome @QuintonS,. Updated the answer, please accept if it's ok

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW! Every day the list of sources Admins are responsible for gets bigger and bigger, often making ...