Splunk Enterprise Security

How to show latest month data in Solid line and rest all months in marker point in line chart?

Explorer

Hi ,

I have data for each month like below.
For example,
Data1 min Months
-1 322 Jan-19
1 340 Jan-19
2 200 Jan-19
-1 250 Feb-19
1 360 Feb-19
2 200 Feb-19
Similarly for all months till Oct-19.
we want to show min over data1 by Months. Wanted to display all months data in dots and for latest month (Oct-19) wanted to show in solid line in single chart panel.
Please help.

0 Karma

Ultra Champion

line chart

I don't know what the data means, so I can't grasp the screen image.
I tried it with the same data.

0 Karma

Esteemed Legend

Either this:

... | chart first(min) AS min BY Months Data1

Or this:

... | chart first(min) AS min BY Data1 Months

Or this:

... | chart first(Data1) AS Data1 BY Months min

Or this:

... | chart first(Data1) AS Data1 BY min Months
0 Karma

Ultra Champion
|makeresults count=2
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"@y"), relative_time(_time,"-1month@month")) 
| makecontinuous span=1month
| eval Data1="-1 1 2"
| makemv Data1
| mvexpand Data1
| eval min=(random() % 20 + 15) * 10 
| table  _time min Data1
`comment("this is sample data")`
| chart values(min) as min over _time by Data1
| eventstats values(eval(if(strftime(_time,"%m")=="10",'-1',null()))) as OCT_-1
,values(eval(if(strftime(_time,"%m")=="10",'1',null()))) as OCT_1
,values(eval(if(strftime(_time,"%m")=="10",'2',null()))) as OCT_2
| where tonumber(strftime(_time,"%m")) < 10

Column chart

If you make every month a dot, you won't be able to line up October.

0 Karma

Explorer

@to4kawa
Thank you for the response.
But I want data1 plotted in X-axis , mins in Y-axis by months and for each month want to show in dots and for last month ,its should show solid dark line.

0 Karma