Dashboards & Visualizations

Under Visualization I am getting the name and not value

palisetty
Communicator

Hello,
Under Visualization, I am getting the name and not value. Here is the query.

index="main" host="web_application" status="200" file="success.do" 
| stats sum(Price) as Revenue by ProductName
| sort - Revenue

I used Automatic Lookup.

Tags (1)

woodcock
Esteemed Legend

Never use sort without a number; try this:

index="main" AND host="web_application" AND status="200" AND file="success.do"
| stats sum(Price) AS Revenue BY ProductName
| sort 0 - Revenue

| rename Revenue AS Sales
| eval Revenue="WebSales"
| xyseries Revenue ProductName Sales

mydog8it
Builder

When you run the search, what do you see on the statistics tab? Does it look like a spreadsheet with the data you wish to see in a visualization or does it display incorrect data? What visualization are you trying to use on the results?

palisetty
Communicator

I think I figured it out. The reason it is coming as a string because I am using clause 'by ProductName'. So it is showing as top Product Name value from the column. If it is some numerical value I would have got some number. If I am wrong please feel free to correct me.
Thank you for trying to help me out.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @palisetty,
let me understand:

  • in your lookup you have two columns, ProductName and Price, the first is a string, the second a number;
  • in your data you have ProductName and, using the automatic lookup, you have the value of the Price;
  • so you want to sum al the Prices for all the events grouped by ProductName;

is it correct?

If this is your need (as I said):

  • disable the automatic lookup,
  • check the lookup contents,
  • check if the lookup runs with your search results.

At this point (if you like) you can again enable your automatic lookup.

Ciao.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @palisetty,
could you better describe what are the result you have and the result you want?
Are Price and ProductName in you data or do you take from the lookup? what's the lookup search?
To debug it, you could disable the automatic lookup and manually use it.

Ciao and Merry Christmas.
Giuseppe

palisetty
Communicator

Hi Sir,
Merry Christmas. Thank you for taking time and helping others even on a holiday.

I am looking for the highest Revenue value to be displayed, not the ProductName. Price and ProductName are from Lookup.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @palisetty,
as I said, the best approach is to disable the automatic lookup and manually use the lookup to understand if there's some problem on it:

  • If it runs when manually, the problem is on the automatic lookup creation;
  • If if doesn't run when manually the problem is on the data in lookup.

I don't like automatic lookups because they bring problems in debugging and understanding search logic!

Anyway at first, check the field names between search results and lookup that must be the same (field names are case sensitive!).

Ciao.
Giuseppe

palisetty
Communicator

Thank you Sir. I am actually learning Splunk. I will do as you said

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...