Reporting

stacked graph legend change

lancealotx
Explorer

I now have a nice stacked bar working nicely and I would like to change the legend to something more readable. Reading through the manual I am still a bit unclear if this is done in the search or in the XML of the graph. I can change the stack colors using:

<option name="charting.seriesColors">[0xFF0000,0xFFFF00,0x00FF00]</option>

so I am thinking it will be here. I tried using the following:

<option name="charting.legend.labels">[result1,result2,result3,result41]</option>

Now when I do that, I now have 8 values in the legend, the 4 original and the 4 new ones, but I would simply like to associate the ones I have with the real data.

Tnx

Tags (2)
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

Based upon your comment above, it sounds a bit like you need a string translation table to convert an ApiKey value into something "readable". There are two ways to do this. Quick and dirty: use eval and case(). It might look like this:


eval legend=case(ApiKey="123", "Website", ApiKey="otherval", "Legend 2", ...)

A more extensible way would be to perform a lookup. Start here. The gist of a lookup is that a small CSV file is created to map one set of values to another (and this can be a multi-way table, too, performing lookups in the other direction). You'd map your ApiKey values to a readable string, then call (or automate) the lookup, so that you have a new field, say, "legend", that would contain the label you want. The nice thing about a lookup is that if you change or extend the table, the results are visible as soon as you run the next search.

View solution in original post

lancealotx
Explorer

Thanks guys, neither one worked. Neither gave a red error but all 3, the legend, the red and the eval just gave the same API string as the legend. So, I am going to grab some coffee and read up on the lookup since that would be the right way to do it, I will see if that works and repost.

Tnx.

0 Karma

sowings
Splunk Employee
Splunk Employee

If you use a case statement, nested if, or lookup to create a new field, you'd have to timechart (or chart, or stats) by that field in order for it to be the label for the legend in the graph. Simply having that data available as a field isn't enough; it has to be part of your final charting outputs.

0 Karma

cphair
Builder

That's odd. You changed the field in the timechart command, right? timechart span=1d count BY legend (or newfield).

sowings is probably right about the lookup being best, especially if you will ever reuse this.

0 Karma

sowings
Splunk Employee
Splunk Employee

Based upon your comment above, it sounds a bit like you need a string translation table to convert an ApiKey value into something "readable". There are two ways to do this. Quick and dirty: use eval and case(). It might look like this:


eval legend=case(ApiKey="123", "Website", ApiKey="otherval", "Legend 2", ...)

A more extensible way would be to perform a lookup. Start here. The gist of a lookup is that a small CSV file is created to map one set of values to another (and this can be a multi-way table, too, performing lookups in the other direction). You'd map your ApiKey values to a readable string, then call (or automate) the lookup, so that you have a new field, say, "legend", that would contain the label you want. The nice thing about a lookup is that if you change or extend the table, the results are visible as soon as you run the next search.

View solution in original post

lancealotx
Explorer

Could not get the eval to work, but using the lookup with a csv it worked perfect!

Thanks

0 Karma

cphair
Builder

You can replace the actual value of the ApiKey field with rex:


...| rex field=ApiKey mode=sed "s/123/NiceName/"

I don't know of a way to run multiple sed commands in one rex statement, so you'd need four of those. If you wanted to create a new field, you could do an eval with a bunch of nested ifs, something like this:

...| eval newfield=if(ApiKey="123","Foo",if(ApiKey="456", "Bar", if(ApiKey="789","Baz",if(ApiKey="abc123","Fiz","Faz"))))

and then break up the timechart by newfield instead of ApiKey.

I don't know of a way to rename the lines in the legend, though there may be one.

tsmithsplunk
Path Finder

Using "rex mode=sed" worked for me. If your field has a finite known number of values you can use multiple "rex" commands to replace the codey looking values with readable text.

0 Karma

lancealotx
Explorer

Sure, didnt even think of that.

memberLevel="25" AND (ApiKey = "123 OR ApiKey = "456" OR ApiKey = "789" OR ApiKey = "abc123") | timechart span=1d count BY ApiKey

This gives me one stacked bar for each day with a few colors, example the red box is the website API key, the blue is the iPhone. The people looking at the reports don't know what an api key is let alone each one is around 16 characters, so I would simply like to use either the XML file or an AS in sql, like apikey="123" AS website, just not sure how.

Thanks

0 Karma

cphair
Builder

@lancealotx, would you mind posting your search and what actually shows up in the legend? I'm unclear what's unreadable about it.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.