Dashboards & Visualizations

why can't i convert my table to chart (visualization) ?

summerura
Explorer

Hi all,

i want to convert my table to chart, but somehow i can't.. 

this is my search 

summerura_0-1594136146471.png

result is something like that.. 

summerura_1-1594136207139.png

and i want to convert this table to chart (visualization). 

summerura_2-1594136320246.png

when i click the visualization tab,  as you see there are not values for Y-axis. 

Can somebody help me? 

Thanks a lot 

 

 

 

 

Labels (3)
0 Karma
1 Solution

niketn
Legend

@summerura your TB field seems to have comma in its value, which means it will not be treated as numeric. One of the options is to not to create the Date field and use timechart instead of stats:

<yourBaseSearch>
| timechart span=1d max(diskUsageTB) as TB

Second option in case you want to use Stats with your custom Date field then you can try the following to remove comma from TB value. PS: While using string date you should use %Y/%m/%d and not %m/%d/%Y as string date can go out of sequence.

| eval Date=strftime(_time,"%Y/%m/%d")
| stats max(diskUsageTB) as TB by Date
| eval TB=replace(TB,",","")

 

Preferred option is Option 1. But please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@summerura your TB field seems to have comma in its value, which means it will not be treated as numeric. One of the options is to not to create the Date field and use timechart instead of stats:

<yourBaseSearch>
| timechart span=1d max(diskUsageTB) as TB

Second option in case you want to use Stats with your custom Date field then you can try the following to remove comma from TB value. PS: While using string date you should use %Y/%m/%d and not %m/%d/%Y as string date can go out of sequence.

| eval Date=strftime(_time,"%Y/%m/%d")
| stats max(diskUsageTB) as TB by Date
| eval TB=replace(TB,",","")

 

Preferred option is Option 1. But please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

summerura
Explorer

hey, @niketn  thanks 🙂 both options from your first comment work well! 

(The another reply was for @richgalloway .)

But first option shows every date even if there are no data(TB).

 Any tips for that?  

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The timechart command automatically fills in missing dates.  You can always remove them with

... | where NOT TB=0

 

---
If this reply helps you, Karma would be appreciated.

niketn
Legend

@summeruraGlad you got them to work! You can use cont=f option with timechart to show only the dates which have data.

Also do up vote the comments that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

richgalloway
SplunkTrust
SplunkTrust

I believe that data won't chart because the values() function produces a multi-value field.  Try

| stats max(diskusageTB) as TB by Date

(no need for rename with this command). 

---
If this reply helps you, Karma would be appreciated.

summerura
Explorer

thanks, but it works neither. 

0 Karma

niketn
Legend

@summerura Following are two run anywhere example based on the Sample Data and SPL you have provided. So if the option is not working for you please provide the SPL you have tried and the final output results you are getting.

Option 1

| gentimes start=-10
| eval _time=starttime
| fields _time
| eval Date=strftime(_time,"%Y/%m/%d"), diskUsageTB=replace(substr(tostring(random()),1,3),"(\d{1})(\d{2})","\1,\2")
| stats max(diskUsageTB) as TB by Date
| eval TB=replace(TB,",","")

 

Option 2

| gentimes start=-10
| eval _time=starttime
| fields _time
| eval diskUsageTB=replace(substr(tostring(random()),1,3),"(\d{1})(\d{2})","\1,\2")
| timechart span=1d max(diskUsageTB) as TB

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...