Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to create a chart where each date has multiple columns beneath it?

bhavlik
Path Finder
‎10-26-2020 02:00 PM

I am trying to create a "monitoring" dashboard that compares the data count in a clients database to the count in our corporate database.  For each Event Name (sourcetype) I have the following metrics: nVerifyEvents, nPropertyEvents, nReceivedEvents.  I want to display all 3 metrics per Event Name per date for the last 7 days.  Here is a screenshot of what I have so far.

bhavlik_0-1603745060042.png

Is there anyway to create a chart so it displays like this:

bhavlik_2-1603745544730.png

If this isn't possible, do any of you have some suggestions on a way to display this information on a dashboard?  Should I do each date as a separate chart and put them on the same row in the dashboard?  In my opinion it would be overkill to have the Event Name listed for each date but if that's the only way to go then it will have to work.  I will also need to set up notifications if nReceivedEvents < nPropertyEvents so that we can address any missing data right away.  

Thanks for any help or suggestions you send my way.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-28-2020 03:00 PM

Well done finding a solution. A couple of variants you could do would be 

a) Make the validate field a multivalue field, so it renders a value per line rather than wrapping the values based on column width

| eval ValidationData=mvappend("nVerify=".nVerifyEvents,
                               "nProperty=".nPropertyEvents,
                               "nReceived=".nReceivedEvents,
                               "Missing=".Missing)

 b) Make a labels column, so that the values are just under the dates, something like this

| makeresults 
| eval n=mvrange(1,31)
| mvexpand n
| eval _time=now() - ((random() % 3 + 1) * 86400) 
| fields - n
| eval eventName=mvindex(split("CustCkIn,CustCkOut,EduAssigned,EduView,FTGChannelOff",","),random() % 5)
| eval nVerifyEvents=random() % 20, nPropertyEvents=random() % 20, nReceivedEvents=random() % 20, nMissing=random() % 20
| bin _time span=1d
| stats sum(n*) as n* by _time eventName
| eval ValidationData=mvappend(nVerifyEvents,nPropertyEvents,nReceivedEvents,nMissing)
| eval date=strftime(_time, "%F") 
| table date eventName ValidationData
| eval {date}=ValidationData
| fields - date ValidationData
| stats list(2*) as 2* by eventName
| eval Labels=mvappend("nVerify","nProperty","nReceived","Missing")
| fillnull value="Events Not Received"
| table eventName Labels 2*

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bhavlik
Path Finder
‎10-28-2020 12:33 PM

I ended up using an eval statement to combine the columns that would be under each date into a single column and then using other commands to get only one row each of the Event Names.  

Here's the part of my query that I used to change the table to my desired look:

| eval ValidationData="nVerify="+nVerifyEvents+", "+"nProperty="+nPropertyEvents+", "+"nReceived="+nReceivedEvents+", "+"Missing="+Missing
| table date eventName ValidationData
| eval {date}=ValidationData
| fields - date ValidationData
| stats values(*) as * by eventName
| fillnull value="Events Not Received"


Here's a screenshot of the final result:

bhavlik_0-1603913595215.png

Not sure if this is the best way to do this but it works.

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-28-2020 03:00 PM

Well done finding a solution. A couple of variants you could do would be 

a) Make the validate field a multivalue field, so it renders a value per line rather than wrapping the values based on column width

| eval ValidationData=mvappend("nVerify=".nVerifyEvents,
                               "nProperty=".nPropertyEvents,
                               "nReceived=".nReceivedEvents,
                               "Missing=".Missing)

 b) Make a labels column, so that the values are just under the dates, something like this

| makeresults 
| eval n=mvrange(1,31)
| mvexpand n
| eval _time=now() - ((random() % 3 + 1) * 86400) 
| fields - n
| eval eventName=mvindex(split("CustCkIn,CustCkOut,EduAssigned,EduView,FTGChannelOff",","),random() % 5)
| eval nVerifyEvents=random() % 20, nPropertyEvents=random() % 20, nReceivedEvents=random() % 20, nMissing=random() % 20
| bin _time span=1d
| stats sum(n*) as n* by _time eventName
| eval ValidationData=mvappend(nVerifyEvents,nPropertyEvents,nReceivedEvents,nMissing)
| eval date=strftime(_time, "%F") 
| table date eventName ValidationData
| eval {date}=ValidationData
| fields - date ValidationData
| stats list(2*) as 2* by eventName
| eval Labels=mvappend("nVerify","nProperty","nReceived","Missing")
| fillnull value="Events Not Received"
| table eventName Labels 2*

 

0 Karma
Reply
Solved! Jump to solution

bhavlik
Path Finder
‎11-03-2020 12:06 PM

Sorry for the delay in response, I had to focus on another project for a couple days.  LOL.  But I did incorporate part a) and I really like the way the output looks.  This will allow me to display a larger time range.  

I haven't had time to go through your suggestion in part b) but have saved in for future exploration.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...