Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk SPL & visualisation

uagraw01
Motivator
‎12-06-2023 04:53 AM

Hello Splunkers!!

index=messagebus "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"="ASR/Hb/*/Entry*" OR "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"="ASR/Hb/*/Exit*" | stats count by "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"
|fields - _raw | fields AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName | rex field=AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName "(?<location>Aisle\d+)" | fields - AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName |strcat "raw" "," location group_name | stats count BY location group_name

 

Current visualisation I am getting by above search in column chart: 

 

uagraw01_0-1701867042156.png

 

I want to obtain below visualization. Please guide me what changes I need to used in my current SPL to obtain below visualization.

uagraw01_1-1701867097228.png

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 09:38 AM

Try this

| timechart span=1d count by location

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 06:19 AM

Try changing

| stats count BY location group_name

to

| chart count BY location group_name

then use a stacked column chart

0 Karma
Reply
Solved! Jump to solution

uagraw01
Motivator
‎12-06-2023 08:07 AM

@ITWhisperer 

Below is the visualization I am getting after changing from stats to chart.

uagraw01_0-1701878820715.png

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 08:20 AM 
| timechart span=1d count by location
0 Karma
Reply
Solved! Jump to solution

uagraw01
Motivator
‎12-06-2023 08:35 AM

@ITWhisperer 

No results, I think strcat is working together with location and group_name

uagraw01_0-1701880475145.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 08:58 AM

The visualisation you said you wanted doesn't have raw.location in. Please clarify what you want in your visualisation, what fields you have and how you want to use them

0 Karma
Reply
Solved! Jump to solution

uagraw01
Motivator
‎12-06-2023 09:05 AM

@ITWhisperer group_name is the raw.location and in the visualisation they are using. I want the same Visualisation as mentioned earlier.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 09:09 AM 
| timechart span=1d count by group_name
0 Karma
Reply
Solved! Jump to solution

uagraw01
Motivator
‎12-06-2023 09:25 AM

@ITWhisperer Thats also not workng.

See the below events from the search and want the expected visualization.

uagraw01_0-1701883501939.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 09:30 AM

I think you may have been told this before but if you want a time element in your visualisation, it needs to be in your results table. Your search is removing the _time field (or not including it). You need to rework your search accordingly.

Reply
Solved! Jump to solution

uagraw01
Motivator
‎12-06-2023 09:35 AM

@ITWhisperer 

I have included _time in my search, and the results are still the same.

uagraw01_0-1701884121587.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-06-2023 09:38 AM

Try this

| timechart span=1d count by location
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...