Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

multiple bar charts from one search result table

billself
New Member
‎11-06-2016 07:05 PM

Hi

I have a search that returns a table with 3 columns; the first column is the process name, the second is timestamps (say every 5 minutes for the last 4 hours), the third is the number of items in the queue for that process at that timestamp. I'd like to generate a separate bar chart for each of the processes (there can be 30 or more processes so generate that many small bar charts).

Can this be done or do I need over 30 searches or 30 filters against one search or some-such and genenrate a chart from each of those searches?

Thanks for any help you can give (we have Splunk Enterprise 6.5).

Bill

Tags (1)
0 Karma
Reply

billself
New Member
‎12-14-2016 07:12 PM

Hi

Thanks for your help on this. In the end I used individual queries (mostly the same but '... | search process="process_name" ') for each bar chart on one dashboard. Not ideal but is working well.

Bill

0 Karma
Reply

gokadroid
Motivator
‎11-15-2016 01:51 PM

If you already have fields called process, myTime( 5minutes difference time over last four hours) , queue_item can you not try this and see if that's what you needed:

your query to return the process, myTime and queue_item
| chart count(queue_item) over myTime by process

Choose bar chart as the visualization option.

If the time division is not already done and you need to perform this 5 minute division first so just add earliest=-4h in the first line of search that you perform and later | bucket _time span=5m to divide _time in 5 minutes span to do similar charting further like:

your query to return the process and queue_item earliest=-4h
| bucket _time span=5m
| chart count(queue_item) over _time by process
0 Karma
Reply

Flynt
Splunk Employee
Splunk Employee
‎11-15-2016 01:36 PM

I'd look into http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/Savedsearches#Post-process_searches where you have a base search that contains your "datacube" or all the results you want. Then define some postprocess searches that filter down to your processes. Afaik, there's no way in simplexml to spawn off multiple visualizations from one result set without postprocess. If there was a way to group the processes, that would cut down on the amount of filters needed, then you could show a bar chart with a group of say 5 processes or what have you.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...