Dashboards & Visualizations

why can't i convert my table to chart (visualization) ?

summerura
Explorer

Hi all,

i want to convert my table to chart, but somehow i can't.. 

this is my search 

summerura_0-1594136146471.png

result is something like that.. 

summerura_1-1594136207139.png

and i want to convert this table to chart (visualization). 

summerura_2-1594136320246.png

when i click the visualization tab,  as you see there are not values for Y-axis. 

Can somebody help me? 

Thanks a lot 

 

 

 

 

Labels (3)
0 Karma
1 Solution

niketn
Legend

@summerura your TB field seems to have comma in its value, which means it will not be treated as numeric. One of the options is to not to create the Date field and use timechart instead of stats:

<yourBaseSearch>
| timechart span=1d max(diskUsageTB) as TB

Second option in case you want to use Stats with your custom Date field then you can try the following to remove comma from TB value. PS: While using string date you should use %Y/%m/%d and not %m/%d/%Y as string date can go out of sequence.

| eval Date=strftime(_time,"%Y/%m/%d")
| stats max(diskUsageTB) as TB by Date
| eval TB=replace(TB,",","")

 

Preferred option is Option 1. But please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@summerura your TB field seems to have comma in its value, which means it will not be treated as numeric. One of the options is to not to create the Date field and use timechart instead of stats:

<yourBaseSearch>
| timechart span=1d max(diskUsageTB) as TB

Second option in case you want to use Stats with your custom Date field then you can try the following to remove comma from TB value. PS: While using string date you should use %Y/%m/%d and not %m/%d/%Y as string date can go out of sequence.

| eval Date=strftime(_time,"%Y/%m/%d")
| stats max(diskUsageTB) as TB by Date
| eval TB=replace(TB,",","")

 

Preferred option is Option 1. But please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

summerura
Explorer

hey, @niketn  thanks 🙂 both options from your first comment work well! 

(The another reply was for @richgalloway .)

But first option shows every date even if there are no data(TB).

 Any tips for that?  

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The timechart command automatically fills in missing dates.  You can always remove them with

... | where NOT TB=0

 

---
If this reply helps you, Karma would be appreciated.

niketn
Legend

@summeruraGlad you got them to work! You can use cont=f option with timechart to show only the dates which have data.

Also do up vote the comments that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

richgalloway
SplunkTrust
SplunkTrust

I believe that data won't chart because the values() function produces a multi-value field.  Try

| stats max(diskusageTB) as TB by Date

(no need for rename with this command). 

---
If this reply helps you, Karma would be appreciated.

summerura
Explorer

thanks, but it works neither. 

0 Karma

niketn
Legend

@summerura Following are two run anywhere example based on the Sample Data and SPL you have provided. So if the option is not working for you please provide the SPL you have tried and the final output results you are getting.

Option 1

| gentimes start=-10
| eval _time=starttime
| fields _time
| eval Date=strftime(_time,"%Y/%m/%d"), diskUsageTB=replace(substr(tostring(random()),1,3),"(\d{1})(\d{2})","\1,\2")
| stats max(diskUsageTB) as TB by Date
| eval TB=replace(TB,",","")

 

Option 2

| gentimes start=-10
| eval _time=starttime
| fields _time
| eval diskUsageTB=replace(substr(tostring(random()),1,3),"(\d{1})(\d{2})","\1,\2")
| timechart span=1d max(diskUsageTB) as TB

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...