Dashboards & Visualizations

why can't i convert my table to chart (visualization) ?

summerura
Explorer

Hi all,

i want to convert my table to chart, but somehow i can't.. 

this is my search 

summerura_0-1594136146471.png

result is something like that.. 

summerura_1-1594136207139.png

and i want to convert this table to chart (visualization). 

summerura_2-1594136320246.png

when i click the visualization tab,  as you see there are not values for Y-axis. 

Can somebody help me? 

Thanks a lot 

 

 

 

 

Labels (3)
0 Karma
1 Solution

niketnilay
Legend

@summerura your TB field seems to have comma in its value, which means it will not be treated as numeric. One of the options is to not to create the Date field and use timechart instead of stats:

<yourBaseSearch>
| timechart span=1d max(diskUsageTB) as TB

Second option in case you want to use Stats with your custom Date field then you can try the following to remove comma from TB value. PS: While using string date you should use %Y/%m/%d and not %m/%d/%Y as string date can go out of sequence.

| eval Date=strftime(_time,"%Y/%m/%d")
| stats max(diskUsageTB) as TB by Date
| eval TB=replace(TB,",","")

 

Preferred option is Option 1. But please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketnilay
Legend

@summerura your TB field seems to have comma in its value, which means it will not be treated as numeric. One of the options is to not to create the Date field and use timechart instead of stats:

<yourBaseSearch>
| timechart span=1d max(diskUsageTB) as TB

Second option in case you want to use Stats with your custom Date field then you can try the following to remove comma from TB value. PS: While using string date you should use %Y/%m/%d and not %m/%d/%Y as string date can go out of sequence.

| eval Date=strftime(_time,"%Y/%m/%d")
| stats max(diskUsageTB) as TB by Date
| eval TB=replace(TB,",","")

 

Preferred option is Option 1. But please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

summerura
Explorer

hey, @niketnilay  thanks 🙂 both options from your first comment work well! 

(The another reply was for @richgalloway .)

But first option shows every date even if there are no data(TB).

 Any tips for that?  

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The timechart command automatically fills in missing dates.  You can always remove them with

... | where NOT TB=0

 

---
If this reply helps you, an upvote would be appreciated.

niketnilay
Legend

@summeruraGlad you got them to work! You can use cont=f option with timechart to show only the dates which have data.

Also do up vote the comments that helped 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

richgalloway
SplunkTrust
SplunkTrust

I believe that data won't chart because the values() function produces a multi-value field.  Try

| stats max(diskusageTB) as TB by Date

(no need for rename with this command). 

---
If this reply helps you, an upvote would be appreciated.

summerura
Explorer

thanks, but it works neither. 

0 Karma

niketnilay
Legend

@summerura Following are two run anywhere example based on the Sample Data and SPL you have provided. So if the option is not working for you please provide the SPL you have tried and the final output results you are getting.

Option 1

| gentimes start=-10
| eval _time=starttime
| fields _time
| eval Date=strftime(_time,"%Y/%m/%d"), diskUsageTB=replace(substr(tostring(random()),1,3),"(\d{1})(\d{2})","\1,\2")
| stats max(diskUsageTB) as TB by Date
| eval TB=replace(TB,",","")

 

Option 2

| gentimes start=-10
| eval _time=starttime
| fields _time
| eval diskUsageTB=replace(substr(tostring(random()),1,3),"(\d{1})(\d{2})","\1,\2")
| timechart span=1d max(diskUsageTB) as TB

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"