Dashboards & Visualizations

How to create a barchart with multiple metrics (including trellis)?

StephenIves
Engager

I have the following search:

 

index=felix_emea sourcetype="Felixapps:prod:log" Action = "Resp_VPMG"
| dedup EventIndex
| rex field=Message "^<b>(?<Region>.+)<\/b>"
| rex "Response Codes:\s(?<responseCode>\d{1,3})"
| rex field=Message ":\s(?<errCount>\d{1,4})$"
| FIELDS "Action" "Region" "responseCode" "errCount"
| timechart sum(errCount) by Region

which is returning the following events:

Time

Action

responseCode

Region

errCount

21/11/2022 09:46:07

Resp_VPMG

912

VPMG - Wizink PRD-E5

14

21/11/2022 09:16:31

Resp_VPMG

911

Moneta IBS via VPMG

8

21/11/2022 03:02:07

Resp_VPMG

911

Moneta IBS via VPMG

129

21/11/2022 02:46:59

Resp_VPMG

911

Moneta IBS via VPMG

92

20/11/2022 20:31:38

Resp_VPMG

911

Moneta IBS via VPMG

16

20/11/2022 19:31:36

Resp_VPMG

911

Moneta IBS via VPMG

32

20/11/2022 02:26:45

Resp_VPMG

911

Addiko IBS via VPMG

7

 

and I can display the results on a bar chart like this:

image.png

but I have no visibility of the 'responseCode' field. 

 

If I copy the data into PowerBI, I can easily get a visualisation like this:

StephenIves_0-1669134657880.png

 

which shows Errors by region and by responseCode (using a PowerBI 'Small Measures', which seems to be the equivalent of Splunk's 'Trellis').

Can I recreate this visualisation in Splunk? Using the Trellis option only allows me to trellis the report by Region and not by responseCode. 

Thanks. 

Steve

 

Labels (2)
0 Karma

StephenIves
Engager

. Sorry for the delay in replying. 

That isn't working.  All I get is this:

StephenIves_1-1674572168170.png

So yes - there is a separate graph for each region, but the columns are simply the count of {Region}, not a count of different responseCode

I'm not sure what your line graphs are showing - I cant replicate that. 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@StephenIves - I can see your query very different that what I put in my answer, can you please try to replicate that?

0 Karma

StephenIves
Engager

Hi Vatsal,

I lost access to this account, so havent been able to reply until now.

This is the query you suggested I try:

index=felix_emea sourcetype="Felixapps:prod:log" Action = "Resp_VPMG"
| dedup EventIndex
| rex field=Message "^<b>(?<Region>.+)<\/b>"
| rex "Response Codes:\s(?<responseCode>\d{1,3})"
| rex field=Message ":\s(?<errCount>\d{1,4})$"

| bin _time span=1h
| stats count by _time, Region responseCode
| eval {Region}=count
| fields - Region, count

 

I'm not sure what the visualisation is showing me exactly : I can activate a trellis display buy region, but the bars on each graph )when I activate the legend) are labelled as 'responseCode' and the region. All bars are showing as just under 1,000:

StephenIves_0-1694425102714.png

Again, the Power BI display I am trying to replicate is this:

StephenIves_1-1694425153189.png

With a timechart of the count of response codes by region, trellised by responsecode. 

Here is the sample data for the Power BI report:

Time Action responseCode Region errCount

21/11/2022 09:46:07Resp_VPMG912VPMG - Wizink PRD-E514
21/11/2022 09:16:31Resp_VPMG911Moneta IBS via VPMG8
21/11/2022 03:02:07Resp_VPMG911Moneta IBS via VPMG129
21/11/2022 02:46:59Resp_VPMG911Moneta IBS via VPMG92
20/11/2022 20:31:38Resp_VPMG911Moneta IBS via VPMG16
20/11/2022 19:31:36Resp_VPMG911Moneta IBS via VPMG32
20/11/2022 02:26:45Resp_VPMG911Addiko IBS via VPMG7

 

('Action' is not used).

 

 

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@StephenIves - Try this search query:

index=felix_emea sourcetype="Felixapps:prod:log" Action = "Resp_VPMG"
| dedup EventIndex
| rex field=Message "^<b>(?<Region>.+)<\/b>"
| rex "Response Codes:\s(?<responseCode>\d{1,3})"
| rex field=Message ":\s(?<errCount>\d{1,4})$"

| bin _time span=1h
| stats count by _time, Region responseCode
| eval {Region}=count
| fields - Region, count

 

And this trellis configuration:

VatsalJagani_2-1669187004252.png

 

Here is my sample search:

index=_internal
| rename log_level as responseCode, host as Region
| bin _time span=1h
| stats count by _time, Region responseCode
| eval {Region}=count
| fields - Region, count

VatsalJagani_3-1669187047033.png

 

 hope this helps!!! Upvote and accept the answer if it does!!

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...