Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk SPL & visualisation

uagraw01
Builder
‎12-06-2023 04:53 AM

Hello Splunkers!!

index=messagebus "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"="ASR/Hb/*/Entry*" OR "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"="ASR/Hb/*/Exit*" | stats count by "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"
|fields - _raw | fields AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName | rex field=AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName "(?<location>Aisle\d+)" | fields - AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName |strcat "raw" "," location group_name | stats count BY location group_name

 

Current visualisation I am getting by above search in column chart: 

 

uagraw01_0-1701867042156.png

 

I want to obtain below visualization. Please guide me what changes I need to used in my current SPL to obtain below visualization.

uagraw01_1-1701867097228.png

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 09:38 AM

Try this

| timechart span=1d count by location

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 06:19 AM

Try changing

| stats count BY location group_name

to

| chart count BY location group_name

then use a stacked column chart

0 Karma
Reply
Solved! Jump to solution

uagraw01
Builder
‎12-06-2023 08:07 AM

@ITWhisperer 

Below is the visualization I am getting after changing from stats to chart.

uagraw01_0-1701878820715.png

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 08:20 AM 
| timechart span=1d count by location
0 Karma
Reply
Solved! Jump to solution

uagraw01
Builder
‎12-06-2023 08:35 AM

@ITWhisperer 

No results, I think strcat is working together with location and group_name

uagraw01_0-1701880475145.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 08:58 AM

The visualisation you said you wanted doesn't have raw.location in. Please clarify what you want in your visualisation, what fields you have and how you want to use them

0 Karma
Reply
Solved! Jump to solution

uagraw01
Builder
‎12-06-2023 09:05 AM

@ITWhisperer group_name is the raw.location and in the visualisation they are using. I want the same Visualisation as mentioned earlier.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 09:09 AM 
| timechart span=1d count by group_name
0 Karma
Reply
Solved! Jump to solution

uagraw01
Builder
‎12-06-2023 09:25 AM

@ITWhisperer Thats also not workng.

See the below events from the search and want the expected visualization.

uagraw01_0-1701883501939.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 09:30 AM

I think you may have been told this before but if you want a time element in your visualisation, it needs to be in your results table. Your search is removing the _time field (or not including it). You need to rework your search accordingly.

Reply
Solved! Jump to solution

uagraw01
Builder
‎12-06-2023 09:35 AM

@ITWhisperer 

I have included _time in my search, and the results are still the same.

uagraw01_0-1701884121587.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 09:38 AM

Try this

| timechart span=1d count by location
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...