Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to make Chart filtering on TOP 5?

Splunker7
Loves-to-Learn Lots
‎03-23-2023 07:28 AM

Hi all

I'm struggling to make my chart how I want it.
Basically what I currently have, is a graph with a lot of logs received from certain services.
And that from the past 3 months.

- I don't understand why my months are ordered like this: 2022 December, 2023 February, 2023 January
Where January should be in the middle.

- Aside from this, my main struggle is to filter the top services with the highes2023-03-23 15_25_28-Clipboard.png

 

t logs. These are a lot higher than the other ones. So I'll have to make a 2nd graph with the smaller ones.
How can I filter the the top (say 4) out? (AND srv!=*** is not the proper way to do it in this case)

|dbxquery query="select to_char(received_ts,'YYYY Month') as Month,srv,sum(log_Count) as Total_Log_Count
from gmssp.esm.esm_audit_day
where client_id = ****
AND received_ts>= DATE_TRUNC('month', current_date) - '3 month'::interval
AND received_ts< DATE_TRUNC('month', current_date)
AND SRV!='ignor'
AND SRV!='UNK'
group by srv, month" connection="******"
| chart max(total_log_count) by srv month


Thanks a lot for your help!

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-23-2023 08:01 AM

The chart is ordered the way it is because X-axis labels are sorted lexicographically.  "2022" comes before "2023" and "F" comes before "J".  To put them into date order, you'd have to convert the month field into epoch form using strptime then use fieldformat to specify how it should be displayed.

The chart command has a limit option you can use to control how many results are displayed.

|dbxquery query="select to_char(received_ts,'YYYY Month') as Month,srv,sum(log_Count) as Total_Log_Count
from gmssp.esm.esm_audit_day
where client_id = ****
AND received_ts>= DATE_TRUNC('month', current_date) - '3 month'::interval
AND received_ts< DATE_TRUNC('month', current_date)
AND SRV!='ignor'
AND SRV!='UNK'
group by srv, month" connection="******"
| eval month = strptime(month, "%Y %B")
| chart limit=top 4 max(total_log_count) by srv month
| fieldformat month = strftime(month, "%Y %B")

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-23-2023 07:53 AM

hi @Splunker7 ,

at first Splunk isn't a database client, even if you can extract data from a database but in this way you have very low performaces: the best approach is to schedule a data extraction saving data in Splunk and then run searches on the index where you stored extracted data.

Then, charts are ordered in alphabetical order, for this reson january comes after february.

Convert tour dates in numbers (2023-02 instead of 2023-February) and you'll have an ordered chart.

About the second question,you could use a logarythmic scale to disaply your data to avoid great differences in column high.

Then if you want to exclude some results, you can use the where condition to filter your data

...
| stats max(total_log_count) AS max BY srv month
| where max<1000

I used 1000 as threshold but you can use the value you like.

Ciao.

Giuseppe

0 Karma
Reply

Splunker7
Loves-to-Learn Lots
‎03-24-2023 12:30 AM

Splunker7_0-1679642982630.png

Hi @gcusello 

I've tried this already, but then I receive:

"No results found. Try expanding the time range."

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-24-2023 03:31 AM

Hi @Splunker7 ,

which result do you receive without the final filter?

Ciao.

Giuseppe

0 Karma
Reply

Splunker7
Loves-to-Learn Lots
‎03-24-2023 05:02 AM

@gcusello 
Splunker7_0-1679659358922.png

No results found

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-27-2023 03:59 AM

Hi @Splunker7 ,

please run your main search (without stats) and check the presence of the following fields:

  • total_log_count
  • srv
  • month

and if srv and month have the 100% of values.

Ciao.

Giuseppe

0 Karma
Reply

Splunker7
Loves-to-Learn Lots
‎03-27-2023 06:18 AM

Hi @gcusello 

Without Chart or stats, all works fine:

Splunker7_0-1679923105681.png

Thanks
Benjamin

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...