Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

scatter plot

mm12
Explorer
‎12-07-2021 09:06 AM

Hi,

I have the below query, I need the scatter point visualozation for this. time on the x axis and the count on the y axis. How to achieve this.

|inputlookup hsbc_es_pr_mapping.csv | eval "Configuration Item" = lower('Configuration Item') | lookup hsbc_dc_app_eim_lookup_eim_basic_extract.csv hostname as "Configuration Item" OUTPUT IT_SERVICE | search Status = Open | fields "Problem Number" IT_SERVICE | stats count as "Count of PR's" by IT_SERVICE | sort 10 - "Count of PR's"

Thanks

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-07-2021 11:39 AM

Since you don't appear to have a time element in your search, and even if you did, it would have been removed by the stats command (since it isn't in the by clause), the first thing you need to do is define a search that will provide this data. When you have sorted that out, the x-axis (and indeed the y-axis) of a scatter chart need numeric fields and since _time is represented as a string in visualisations, you are going to need a different way to represent the passage of time, e.g. renaming _time as time so you keep the epoch value, or perhaps subtracting the minimum time from all the other time values.

0 Karma
Reply

mm12
Explorer
‎12-07-2021 02:01 PM

@ITWhisperer - Thanks for the reply . I have modified the query little but in the x axis I am getting values like 

100,000,000 200,000,000 300,000,000 etc. How to overcome this

|inputlookup hsbc_es_pr_mapping.csv | eval "Configuration Item" = lower('Configuration Item') | rename "Open Date/Time(UTC/GMT)" as Open_Date | lookup hsbc_dc_app_eim_lookup_eim_basic_extract.csv hostname as "Configuration Item" OUTPUT IT_SERVICE | search Status = Open | stats count as "Count of PR's" by Open_Date IT_SERVICE | sort 10 - "Count of PR's" | eval Open_Time_timestamp =strptime(Open_Date, "%d %b %y %l:%M:%S")| table IT_SERVICE Open_Time_timestamp "Count of PR's"

Thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-07-2021 02:18 PM

You could finish the search by subtracting the earliest time, and then perhaps converting to minutes (since earliest). Or perhaps dividing again by 60 to get hours. Or you could subtract from now() to find how far back in the past the timestamp is. Whatever makes sense for you.

| eventstats min(Open_Time_timestamp) as beginning
| eval Open_Time_timestamp = Open_Time_timestamp - beginning
| eval Open_Time_timestamp = floor(Open_Time_timestamp / 60)
| table IT_SERVICE Open_Time_timestamp "Count of PR's"

 

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...