Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Visual for Top N per day

EagleLakeWood
Observer
‎02-02-2021 12:48 PM

It took me quite a while to get the search right, but I believe I have it returning the data that I would like to chart.

The data looks something like this:

_timeSalesPersonNumberOfSales
2/1/2021Tom54
2/1/2021Steve46
2/1/2021Molly23
1/31/2021Brenda12
1/31/2021Tom33
1/31/2021Molly30

 

The top 3 sales people and their number of sales are listed per day.

I would like to create a visual like this:
SplunkChart.jpg

I would even settle for a Trellis split by day, but I can't seem to make that happen from this data either.

My search is something like this:

base search
| bin span=1d _time
| stats sum(NUMBER_OF_SALES) as NumberOfSales by _time, SalesPerson
| sort -_time -NumberOfSales | dedup 3 _time

Labels (1)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎02-02-2021 01:36 PM

base search
| bin span=1d _time
| stats sum(NUMBER_OF_SALES) as NumberOfSales by _time, SalesPerson
| sort 3 -_time -NumberOfSales

 

Why not trellis by _time?

0 Karma
Reply

EagleLakeWood
Observer
‎02-02-2021 05:57 PM

I'm not sure what controls what fields you can select from in the split by dropdown on the trellis dialog box, but _time is not one of the choice.  I can split by the SalesPerson and NumberOfSales fields, but not _time

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-02-2021 10:46 PM

@EagleLakeWood 

If you rearrange the table, so that time and each salesperson is a column and the number of sales is the value in each cell, then you can just do a simple bar chart, see this example

| makeresults
| eval _raw="date	SalesPerson	NumberOfSales
2/1/2021	Tom	54
2/1/2021	Steve	46
2/1/2021	Molly	23
1/31/2021	Brenda	12
1/31/2021	Tom	33
1/31/2021	Molly	30"
| multikv forceheader=1
| eval _time=strptime(date, "%m/%d/%Y")
| chart values(NumberOfSales) as NumberOfSales over date by SalesPerson

See that here I am doing over the text representation of date, as it will centre it as text on the x axis. If you use over _time, then the x-axis will be a timeline.

However, if you use the text date, then it will sort the results textually, so will not give a good date timeline.

You can always fiddle that by making the dates YYYY-MM-DD and then reformatting it to the US format after the chart.

0 Karma
Reply

EagleLakeWood
Observer
‎02-03-2021 07:01 AM

I appreciate the suggestion, but I think that may be a dead-end for me.  My original question illustrated only two days, but I would really like this visual to show per day over many days.  Let's say there's 100 sales people and the top 3 per day can vary widely.  Over a 7 day period, perhaps 15 different people are in the top 3.  I would have no-data bars in the chart every day due to the blanks created by someone being in the top 3 from another day. 
On top of that issue, there's no decent way to show the Sales person name and the number of sales on the chart.
I think I just need to consider something else to represent this data visually. 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-03-2021 01:22 PM

Yes, you're right @EagleLakeWood the challenge is to first understand how you want to visualise, then munge the data accordingly.

Have you looked at the available visualisations on Splunkbase. Many of them are time based, so may provide a solution.

https://splunkbase.splunk.com/apps/#/app_content/visualizations

It is possible to get the trellis view by date, like this

| makeresults
| eval _raw="date	SalesPerson	NumberOfSales
2/1/2021	Tom	54
2/1/2021	Steve	46
2/1/2021	Molly	23
1/31/2021	Brenda	12
1/31/2021	Tom	33
1/31/2021	Molly	30"
| multikv forceheader=1
| eval _time=strptime(date, "%m/%d/%Y")
| stats count by date SalesPerson  NumberOfSales
| fields - count

and then you will get 'date' as a field you can trellis by, but that will not really solve your many date case, as even if you use a small trellis, you will not get that many on a page.

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...