Dashboards & Visualizations

Why is the heatmap overlay failing?

Contributor

What wrong with the "and col=9"?

heatmap overlay failed

| gentimes start="1/1/2000" end="1/2/2000" increment=1s | head 400 | streamstats current=f count | eval row=floor(count/20) | eval col=count%20 | eval value=0 | eval value=value+if(row=9 and col=9, random()%200, 0) | table col row value | eval row="row"+substr("0"+row, -2, 2) | eval col="col"+substr("0"+col, -2, 2) | chart limit=20 sum(value) by row col | fields - row

heatmap overlay succeeded

| gentimes start="1/1/2000" end="1/2/2000" increment=1s | head 400 | streamstats current=f count | eval row=floor(count/20) | eval col=count%20 | eval value=0 | eval value=value+if(row=9, random()%200, 0) | table col row value | eval row="row"+substr("0"+row, -2, 2) | eval col="col"+substr("0"+col, -2, 2) | chart limit=20 sum(value) by row col | fields - row

alt text

0 Karma

Splunk Employee
Splunk Employee

You'll need to capitalize AND to use it as a boolean. Otherwise, it is assumed that you are using it as a search term.

0 Karma

Contributor

row=9 and col=9
row=9 AND col=9

Both uppercase and lowercase logical AND successfully constrained the output to a single cell. Heatmap overlay failed in both cases. Have you copy & pasted the 2 searches and tried?

0 Karma

Splunk Employee
Splunk Employee

Odd. I had thought it worked with uppercase AND but it turns out I was on high/low instead of heatmap overlay. Looks like a bug.

0 Karma