Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to plot multiple visualizations of type: scatterplot matrix?

Taruchit
Contributor
‎09-22-2023 11:44 AM

Hello All,

I am trying to plot the count of events per day over a span of a week by using scatterplot matrix as the visualization to see if there is any linear relation observed.

And I need to plot 4 charts, one for each week of the month since there are restrictions on number of datapoints a single chart can publish.

But, when I plot more than one chart, the dashboard breaks down and I start getting error: -

Error rendering Scatterplot Matrix visualization

Thus, I need your guidance to resolve the error.

Thank you
Taruchit

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tscroggins
Influencer
‎09-23-2023 07:24 PM

Hi @Taruchit,

You can group counts by week of year, which works well for line and column charts:

| timechart span=1d count
| eval week_of_year=strftime(_time, "%V")
| timechart span=1d count as count by week_of_year

tscroggins_0-1695521875046.png

and then use trellis to split the charts by week_of_year:

tscroggins_1-1695521906979.png

However, scatter charts want integral x and y-values. You can use strftime again to convert _time values into reasonable integer values, e.g. the day of the week:

| timechart span=1d count
| eval week_of_year=strftime(_time, "%V")
| eval day_of_week=strftime(_time, "%w")
| xyseries day_of_week week_of_year count

and then use trellis to split the scatter chart by week_of_year:

tscroggins_4-1695521995780.png

If you prefer, you can use some other split-by value:

| timechart span=1d count
| eval day_of_week=strftime(_time, "%w")
| eval split_by="Week of ".strftime(_time-(86400*day_of_week), "%d-%b")
| xyseries day_of_week split_by count

tscroggins_5-1695522015935.png

The markers can be made slightly more visually appealing using a Simple XML dashboard and the charting.chart.markerSize option:

<option name="charting.chart.markerSize">1</option>

tscroggins_6-1695522246960.png

View solution in original post

Reply
Solved! Jump to solution
Solution

tscroggins
Influencer
‎09-23-2023 07:24 PM

Hi @Taruchit,

You can group counts by week of year, which works well for line and column charts:

| timechart span=1d count
| eval week_of_year=strftime(_time, "%V")
| timechart span=1d count as count by week_of_year

tscroggins_0-1695521875046.png

and then use trellis to split the charts by week_of_year:

tscroggins_1-1695521906979.png

However, scatter charts want integral x and y-values. You can use strftime again to convert _time values into reasonable integer values, e.g. the day of the week:

| timechart span=1d count
| eval week_of_year=strftime(_time, "%V")
| eval day_of_week=strftime(_time, "%w")
| xyseries day_of_week week_of_year count

and then use trellis to split the scatter chart by week_of_year:

tscroggins_4-1695521995780.png

If you prefer, you can use some other split-by value:

| timechart span=1d count
| eval day_of_week=strftime(_time, "%w")
| eval split_by="Week of ".strftime(_time-(86400*day_of_week), "%d-%b")
| xyseries day_of_week split_by count

tscroggins_5-1695522015935.png

The markers can be made slightly more visually appealing using a Simple XML dashboard and the charting.chart.markerSize option:

<option name="charting.chart.markerSize">1</option>

tscroggins_6-1695522246960.png

Reply
Solved! Jump to solution

Taruchit
Contributor
‎09-25-2023 02:20 AM

Hi @tscroggins,

Thank you very much for sharing the detailed inputs and also for also sharing the alternate approaches for exploring.

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...