Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pivot graph - How to change Y-axis units

alexantao
Path Finder
‎10-11-2013 10:00 AM

HI,
I'm triyng to create a graph in pivot that show the number of bytes over some other field, like IP. So the graph will show the number of bytes each IP downloaded.
But the number of bytes are too high, I'd like to show in Gb, ou Mb, instead of bytes.
The field auto-extracted from the datamodel is bytes. I've tried to create an eval field that contains Bytes/1073741824 to transform to Gb but the graph does not show anything.

Is there a way to splunk automatcally transform big numbers using the units ? Or how could I do that ?

Thanks.

0 Karma
Reply

mattness
Splunk Employee
Splunk Employee
‎10-11-2013 01:08 PM

Here are the steps you should follow:

  1. Add bytes as an auto-extracted attribute to the data model object you're using for your Pivot. You need this in your object if you want to reference the bytes attribute in the eval expression attribute (next step).
  2. Add an eval expression attribute to the same object. In the Eval Expression field for the attribute enter bytes/1073741824. Then give it a Field Name and Display Name of Gb. (Note: Splunk is case-sensitive when it comes to field names, so if your field is extracted as "bytes," don't use "Bytes" in the eval expression.)
  3. Test the Eval Expression attribute by clicking Preview. You should see some events with a new Gb field added.
  4. Save the eval expression attribute.
  5. In your pivot chart, use Gb where you were using bytes. Presto!

The object UI should do this automatically, but just in case: Make sure that the Gb eval expression attribute is listed below the bytes auto-extracted attribute. The eval expression attribute cannot reference attributes that are listed after it.

You can also add these attributes to a parent of the object you're using in Pivot; the object you're using in Pivot will inherit them.

Reply

mattness
Splunk Employee
Splunk Employee
‎10-11-2013 01:19 PM

Ah, one more thing...it's case sensitive. So if your field is being extracted as "bytes" don't enter "Bytes/1073741824" into the Eval Expression field.

Reply

mattness
Splunk Employee
Splunk Employee
‎10-11-2013 01:15 PM

I tested this on my end before writing up that procedure and it worked for me...I thought perhaps the problem was that you didn't have the bytes auto-extracted attribute in the object.

0 Karma
Reply

alexantao
Path Finder
‎10-11-2013 01:12 PM

I've tried this, but it didn't work, but I'll try again... thanks

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...