Splunk Enterprise

Splunk SPL & visualisation

uagraw01
Motivator

Hello Splunkers!!

index=messagebus "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"="ASR/Hb/*/Entry*" OR "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"="ASR/Hb/*/Exit*" | stats count by "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"
|fields - _raw | fields AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName | rex field=AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName "(?<location>Aisle\d+)" | fields - AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName |strcat "raw" "," location group_name | stats count BY location group_name

 

Current visualisation I am getting by above search in column chart: 

 

uagraw01_0-1701867042156.png

 

I want to obtain below visualization. Please guide me what changes I need to used in my current SPL to obtain below visualization.

uagraw01_1-1701867097228.png

 

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| timechart span=1d count by location

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try changing

| stats count BY location group_name

to

| chart count BY location group_name

then use a stacked column chart

0 Karma

uagraw01
Motivator

@ITWhisperer 

Below is the visualization I am getting after changing from stats to chart.

uagraw01_0-1701878820715.png

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| timechart span=1d count by location
0 Karma

uagraw01
Motivator

@ITWhisperer 

No results, I think strcat is working together with location and group_name

uagraw01_0-1701880475145.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The visualisation you said you wanted doesn't have raw.location in. Please clarify what you want in your visualisation, what fields you have and how you want to use them

0 Karma

uagraw01
Motivator

@ITWhisperer group_name is the raw.location and in the visualisation they are using. I want the same Visualisation as mentioned earlier.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| timechart span=1d count by group_name
0 Karma

uagraw01
Motivator

@ITWhisperer Thats also not workng.

See the below events from the search and want the expected visualization.

uagraw01_0-1701883501939.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I think you may have been told this before but if you want a time element in your visualisation, it needs to be in your results table. Your search is removing the _time field (or not including it). You need to rework your search accordingly.

uagraw01
Motivator

@ITWhisperer 

I have included _time in my search, and the results are still the same.

uagraw01_0-1701884121587.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

| timechart span=1d count by location
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques

Hello! We are excited to kick off a new series of blogs from SplunkTrust member ITWhisperer, who demonstrates ...

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...