Dashboards & Visualizations

I have following data in csv , how to display in chart in Splunk

rashi83
Path Finder

CSV is like this
hostid compName status
x v Passed
y v Passed
z v Failed

Need to display like this in Splunk dashboard
host id CompName1 CompName2 CompName3
x status status status
y status status status

I tried using chart command but stuck how to display status with it

Tags (1)
0 Karma

martinpu
Communicator
yourquery
|table hostid compName status

I think this should work or

|xyseries hostid compName status

or

|chart values(hostid) over status by compName
0 Karma

rashi83
Path Finder

Thanks !
Need one more guidance what date function can be used to get latest week events. I want to ignore past date results.

0 Karma

martinpu
Communicator

In query window, on right side choose time options - under presets use relative time and "Week to date" or "Previous week".

0 Karma

rashi83
Path Finder

I know about the time options.
We are making a dashboard - where csv will have data on a weekly basis. So while writing query for above table I want to show latest week status.

Tried using Search | eval sorttime=strptime('_time',"%m/%d/%Y %H:%M:%S%p")| sort -sorttime |dedup hostname compName +_time keepempty=true | xyseries hostname compName status

But it's showing old week data instead of latest week

0 Karma

martinpu
Communicator

Try this time modifier in beginning of search:

earliest=@w1

Shows all results from latest monday untill now

earliest=@w0

for events from latest sunday till now

earliest=-5d@w1 latest=@w6

latest business week results

Not 100% if this is what you need...

Or maybe this?

| eval thisWeekNumber=strftime(now(),"%V") 
| eval weekNoFromFile = strftime(_time, "%V")
| where thisWeekNumber=weekNoFromFile
0 Karma

rashi83
Path Finder

@martinpu thanks .
I have created a dropdown as input panel and handling time .

I also wanted to generate percentage in the same query based on status = Passed and Failed.
How do u recommend to do ?
index=x | xyseries hostname compName status | eval percentage=round((Passed/Passed+Failed)*100)

0 Karma

martinpu
Communicator

Hi @rashi83
You would have to do that via eventstats probably. Though I'd recommend doing some own investigation in how to do this as there are many examples of how to accomplish this easily available.

Please accept my answer in the original reply so this question can be resolved.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...