Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on heat_map_visualization

jip31
Motivator
‎09-12-2024 10:31 PM

hi

i need to do an heat map vizualization

i have checked the dasbord examples addon and in this example a lookup is used 

 | inputlookup sample-data.csv

is it possible to do the same thing without a lookup please? I mean by using an index and an eval command

for example if the field "Value" is < 50 th color is green, <30, the color is orange and < 10 the color is red in my heat map

Rgds

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2024 03:20 AM

You should understand what your data is not blindly copy other searches and expect them to work on different data!

Your data probably already has the _time field with valid data (although I am guessing here as (yet again) you haven't shared your events (as has been suggested many times before!) - try this

index="main" sourcetype="Perfmon:disk" 
| timechart eval(round(avg(Value),0)) by host

If it doesn't work, may I suggest you provide more information such as the event you have in your index?

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2024 12:48 AM

SPL 101 - each search needs a set of events to work with, inputlookup is one way of getting them, replacing this with an index search is another, so, yes, there are a number of ways to do the same thing without inputlookup!

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-13-2024 12:57 AM

could you please give me an example?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2024 01:23 AM

Here is an example of a user using index to generate some events at the beginning of a search

https://community.splunk.com/t5/Splunk-Enterprise/help-on-append-command-in-a-line-chart/m-p/676700#...

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-13-2024 01:43 AM
Not sure you understand my needs In the example below you can see thats random numbers are displayed | gentimes start=-10 increment=4h | eval "Server Availability"=random()%100, "Customer Satisfaction"=random()%100,"Server Performance"=random()%100, _time=starttime | table _time, "Server Availability","Customer Satisfaction","Server Performance" Instead random numbers, i would like to have true numbers froms my index, for example from the field "Value" so i dont know how to query on it in the example i gave to you
Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2024 02:03 AM

So, instead of using gentimes to generate events, use an index search (as you would normally do)

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-13-2024 02:15 AM

its what I am doing but it returns no heat map

index="main" sourcetype="Perfmon:disk" 
| eval _time=strptime(time, "%m/%d/%Y %H:%M") 
| timechart eval(round(avg(Value),0)) by host

instead this which returns an heat map

| inputlookup sample-data.csv
| eval _time=strptime(time, "%m/%d/%Y %H:%M")
| timechart eval(round(avg(value),0)) by name

jip31_0-1726218913792.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-13-2024 03:20 AM

You should understand what your data is not blindly copy other searches and expect them to work on different data!

Your data probably already has the _time field with valid data (although I am guessing here as (yet again) you haven't shared your events (as has been suggested many times before!) - try this

index="main" sourcetype="Perfmon:disk" 
| timechart eval(round(avg(Value),0)) by host

If it doesn't work, may I suggest you provide more information such as the event you have in your index?

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-13-2024 03:49 AM

now it works...

Last question : how to change the rangemap of the colors

It iis in the xml or is it automatic?

jip31_0-1726224436935.png

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-13-2024 03:37 AM

I dont know why but the fields "Value" displays anything when i execute your search even if the field exists

jip31_0-1726223818467.png

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎09-13-2024 01:41 AM
Not sure you understand my needs In the example below you can see thats random numbers are displayed | gentimes start=-10 increment=4h | eval "Server Availability"=random()%100, "Customer Satisfaction"=random()%100,"Server Performance"=random()%100, _time=starttime | table _time, "Server Availability","Customer Satisfaction","Server Performance" Instead random numbers, i would like to have true numbers froms my index, for example from the field "Value" so i dont know how to query on it in the example i gave to you
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...