Solved: Re: Splunk SPL & visualisation

uagraw01 · ‎12-06-2023

Hello Splunkers!!

index=messagebus "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"="ASR/Hb/*/Entry*" OR "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"="ASR/Hb/*/Exit*" | stats count by "AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName"
|fields - _raw | fields AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName | rex field=AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName "(?<location>Aisle\d+)" | fields - AsrLocationStatusUpdate.AsrLocationStatus.LocationQualifiedName |strcat "raw" "," location group_name | stats count BY location group_name

Current visualisation I am getting by above search in column chart:

I want to obtain below visualization. Please guide me what changes I need to used in my current SPL to obtain below visualization.

ITWhisperer · ‎12-06-2023

Try this

| timechart span=1d count by location

View solution in original post

ITWhisperer · ‎12-06-2023

Try changing

| stats count BY location group_name

to

| chart count BY location group_name

then use a stacked column chart

uagraw01 · ‎12-06-2023

@ITWhisperer

Below is the visualization I am getting after changing from stats to chart.

ITWhisperer · ‎12-06-2023

| timechart span=1d count by location

uagraw01 · ‎12-06-2023

@ITWhisperer

No results, I think strcat is working together with location and group_name

ITWhisperer · ‎12-06-2023

The visualisation you said you wanted doesn't have raw.location in. Please clarify what you want in your visualisation, what fields you have and how you want to use them

uagraw01 · ‎12-06-2023

@ITWhisperer group_name is the raw.location and in the visualisation they are using. I want the same Visualisation as mentioned earlier.

ITWhisperer · ‎12-06-2023

| timechart span=1d count by group_name

uagraw01 · ‎12-06-2023

@ITWhisperer Thats also not workng.

See the below events from the search and want the expected visualization.

ITWhisperer · ‎12-06-2023

I think you may have been told this before but if you want a time element in your visualisation, it needs to be in your results table. Your search is removing the _time field (or not including it). You need to rework your search accordingly.

uagraw01 · ‎12-06-2023

@ITWhisperer

I have included _time in my search, and the results are still the same.

ITWhisperer · ‎12-06-2023

Try this

| timechart span=1d count by location

Splunk SPL & visualisation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation

Splunk SPL & visualisation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform