Dashboards & Visualizations

Is there a way to create a chart where each date has multiple columns beneath it?

Path Finder

I am trying to create a "monitoring" dashboard that compares the data count in a clients database to the count in our corporate database.  For each Event Name (sourcetype) I have the following metrics: nVerifyEvents, nPropertyEvents, nReceivedEvents.  I want to display all 3 metrics per Event Name per date for the last 7 days.  Here is a screenshot of what I have so far.

bhavlik_0-1603745060042.png

Is there anyway to create a chart so it displays like this:

bhavlik_2-1603745544730.png

If this isn't possible, do any of you have some suggestions on a way to display this information on a dashboard?  Should I do each date as a separate chart and put them on the same row in the dashboard?  In my opinion it would be overkill to have the Event Name listed for each date but if that's the only way to go then it will have to work.  I will also need to set up notifications if nReceivedEvents < nPropertyEvents so that we can address any missing data right away.  

Thanks for any help or suggestions you send my way.

 

Labels (2)
0 Karma
1 Solution

Influencer

Well done finding a solution. A couple of variants you could do would be 

a) Make the validate field a multivalue field, so it renders a value per line rather than wrapping the values based on column width

| eval ValidationData=mvappend("nVerify=".nVerifyEvents,
                               "nProperty=".nPropertyEvents,
                               "nReceived=".nReceivedEvents,
                               "Missing=".Missing)

 b) Make a labels column, so that the values are just under the dates, something like this

| makeresults 
| eval n=mvrange(1,31)
| mvexpand n
| eval _time=now() - ((random() % 3 + 1) * 86400) 
| fields - n
| eval eventName=mvindex(split("CustCkIn,CustCkOut,EduAssigned,EduView,FTGChannelOff",","),random() % 5)
| eval nVerifyEvents=random() % 20, nPropertyEvents=random() % 20, nReceivedEvents=random() % 20, nMissing=random() % 20
| bin _time span=1d
| stats sum(n*) as n* by _time eventName
| eval ValidationData=mvappend(nVerifyEvents,nPropertyEvents,nReceivedEvents,nMissing)
| eval date=strftime(_time, "%F") 
| table date eventName ValidationData
| eval {date}=ValidationData
| fields - date ValidationData
| stats list(2*) as 2* by eventName
| eval Labels=mvappend("nVerify","nProperty","nReceived","Missing")
| fillnull value="Events Not Received"
| table eventName Labels 2*

 

View solution in original post

0 Karma

Path Finder

I ended up using an eval statement to combine the columns that would be under each date into a single column and then using other commands to get only one row each of the Event Names.  

Here's the part of my query that I used to change the table to my desired look:

| eval ValidationData="nVerify="+nVerifyEvents+", "+"nProperty="+nPropertyEvents+", "+"nReceived="+nReceivedEvents+", "+"Missing="+Missing
| table date eventName ValidationData
| eval {date}=ValidationData
| fields - date ValidationData
| stats values(*) as * by eventName
| fillnull value="Events Not Received"


Here's a screenshot of the final result:

bhavlik_0-1603913595215.png

Not sure if this is the best way to do this but it works.

Influencer

Well done finding a solution. A couple of variants you could do would be 

a) Make the validate field a multivalue field, so it renders a value per line rather than wrapping the values based on column width

| eval ValidationData=mvappend("nVerify=".nVerifyEvents,
                               "nProperty=".nPropertyEvents,
                               "nReceived=".nReceivedEvents,
                               "Missing=".Missing)

 b) Make a labels column, so that the values are just under the dates, something like this

| makeresults 
| eval n=mvrange(1,31)
| mvexpand n
| eval _time=now() - ((random() % 3 + 1) * 86400) 
| fields - n
| eval eventName=mvindex(split("CustCkIn,CustCkOut,EduAssigned,EduView,FTGChannelOff",","),random() % 5)
| eval nVerifyEvents=random() % 20, nPropertyEvents=random() % 20, nReceivedEvents=random() % 20, nMissing=random() % 20
| bin _time span=1d
| stats sum(n*) as n* by _time eventName
| eval ValidationData=mvappend(nVerifyEvents,nPropertyEvents,nReceivedEvents,nMissing)
| eval date=strftime(_time, "%F") 
| table date eventName ValidationData
| eval {date}=ValidationData
| fields - date ValidationData
| stats list(2*) as 2* by eventName
| eval Labels=mvappend("nVerify","nProperty","nReceived","Missing")
| fillnull value="Events Not Received"
| table eventName Labels 2*

 

View solution in original post

0 Karma

Path Finder

Sorry for the delay in response, I had to focus on another project for a couple days.  LOL.  But I did incorporate part a) and I really like the way the output looks.  This will allow me to display a larger time range.  

I haven't had time to go through your suggestion in part b) but have saved in for future exploration.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!