Dashboards & Visualizations

help on heat_map_visualization

jip31
Motivator

hi

i need to do an heat map vizualization

i have checked the dasbord examples addon and in this example a lookup is used 

 | inputlookup sample-data.csv

is it possible to do the same thing without a lookup please? I mean by using an index and an eval command

for example if the field "Value" is < 50 th color is green, <30, the color is orange and < 10 the color is red in my heat map

Rgds

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You should understand what your data is not blindly copy other searches and expect them to work on different data!

Your data probably already has the _time field with valid data (although I am guessing here as (yet again) you haven't shared your events (as has been suggested many times before!) - try this

index="main" sourcetype="Perfmon:disk" 
| timechart eval(round(avg(Value),0)) by host

If it doesn't work, may I suggest you provide more information such as the event you have in your index?

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

SPL 101 - each search needs a set of events to work with, inputlookup is one way of getting them, replacing this with an index search is another, so, yes, there are a number of ways to do the same thing without inputlookup!

0 Karma

jip31
Motivator

could you please give me an example?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Here is an example of a user using index to generate some events at the beginning of a search

https://community.splunk.com/t5/Splunk-Enterprise/help-on-append-command-in-a-line-chart/m-p/676700#...

 

0 Karma

jip31
Motivator
Not sure you understand my needs In the example below you can see thats random numbers are displayed | gentimes start=-10 increment=4h | eval "Server Availability"=random()%100, "Customer Satisfaction"=random()%100,"Server Performance"=random()%100, _time=starttime | table _time, "Server Availability","Customer Satisfaction","Server Performance" Instead random numbers, i would like to have true numbers froms my index, for example from the field "Value" so i dont know how to query on it in the example i gave to you
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So, instead of using gentimes to generate events, use an index search (as you would normally do)

0 Karma

jip31
Motivator

its what I am doing but it returns no heat map

index="main" sourcetype="Perfmon:disk" 
| eval _time=strptime(time, "%m/%d/%Y %H:%M") 
| timechart eval(round(avg(Value),0)) by host

instead this which returns an heat map

| inputlookup sample-data.csv
| eval _time=strptime(time, "%m/%d/%Y %H:%M")
| timechart eval(round(avg(value),0)) by name

jip31_0-1726218913792.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You should understand what your data is not blindly copy other searches and expect them to work on different data!

Your data probably already has the _time field with valid data (although I am guessing here as (yet again) you haven't shared your events (as has been suggested many times before!) - try this

index="main" sourcetype="Perfmon:disk" 
| timechart eval(round(avg(Value),0)) by host

If it doesn't work, may I suggest you provide more information such as the event you have in your index?

0 Karma

jip31
Motivator

now it works...

Last question : how to change the rangemap of the colors

It iis in the xml or is it automatic?

jip31_0-1726224436935.png

 

0 Karma

jip31
Motivator

I dont know why but the fields "Value" displays anything when i execute your search even if the field exists

jip31_0-1726223818467.png

 

0 Karma

jip31
Motivator
Not sure you understand my needs In the example below you can see thats random numbers are displayed | gentimes start=-10 increment=4h | eval "Server Availability"=random()%100, "Customer Satisfaction"=random()%100,"Server Performance"=random()%100, _time=starttime | table _time, "Server Availability","Customer Satisfaction","Server Performance" Instead random numbers, i would like to have true numbers froms my index, for example from the field "Value" so i dont know how to query on it in the example i gave to you
0 Karma
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...