hi
i need to do an heat map vizualization
i have checked the dasbord examples addon and in this example a lookup is used
| inputlookup sample-data.csv
is it possible to do the same thing without a lookup please? I mean by using an index and an eval command
for example if the field "Value" is < 50 th color is green, <30, the color is orange and < 10 the color is red in my heat map
Rgds
You should understand what your data is not blindly copy other searches and expect them to work on different data!
Your data probably already has the _time field with valid data (although I am guessing here as (yet again) you haven't shared your events (as has been suggested many times before!) - try this
index="main" sourcetype="Perfmon:disk"
| timechart eval(round(avg(Value),0)) by host
If it doesn't work, may I suggest you provide more information such as the event you have in your index?
SPL 101 - each search needs a set of events to work with, inputlookup is one way of getting them, replacing this with an index search is another, so, yes, there are a number of ways to do the same thing without inputlookup!
could you please give me an example?
Here is an example of a user using index to generate some events at the beginning of a search
So, instead of using gentimes to generate events, use an index search (as you would normally do)
its what I am doing but it returns no heat map
index="main" sourcetype="Perfmon:disk"
| eval _time=strptime(time, "%m/%d/%Y %H:%M")
| timechart eval(round(avg(Value),0)) by host
instead this which returns an heat map
| inputlookup sample-data.csv
| eval _time=strptime(time, "%m/%d/%Y %H:%M")
| timechart eval(round(avg(value),0)) by name
You should understand what your data is not blindly copy other searches and expect them to work on different data!
Your data probably already has the _time field with valid data (although I am guessing here as (yet again) you haven't shared your events (as has been suggested many times before!) - try this
index="main" sourcetype="Perfmon:disk"
| timechart eval(round(avg(Value),0)) by host
If it doesn't work, may I suggest you provide more information such as the event you have in your index?
now it works...
Last question : how to change the rangemap of the colors
It iis in the xml or is it automatic?
I dont know why but the fields "Value" displays anything when i execute your search even if the field exists