Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk query for Visualization

uagraw01
Motivator
‎06-19-2024 02:51 AM

Hello Splunkers!

I want a below visualization as per attached screenshot. I have mentioned complete SPL also. Please let me know how to achieve it.

uagraw01_1-1718790551185.png





 

index=ABC sourcetype="stalogmessage" | fields _raw | spath output=statistical_element "StaLogMessage.StatisticalElement" | spath output=statistical_subject "StaLogMessage.StatisticalElement.StatisticalSubject" | fields - _raw | spath input=statistical_element output=statistical_item "StatisticalItem" | spath input=statistical_item output=StatisticalId "StatisticalId" | spath input=statistical_item output=Value "Value" | spath input=statistical_subject output=SubjectType "SubjectType" | mvexpand SubjectType | where SubjectType="ORDER_RECIPE" | lookup detail_lfl.csv StatisticalID as StatisticalId SubjectType as SubjectType OUTPUTNEW SymbolicName Unit | mvexpand Unit | search Unit="%" | mvexpand SymbolicName | where SymbolicName="UTILISATION"
| mvexpand Value
| mvexpand StatisticalId
| table StatisticalId Value Unit

 

Labels (1)
Labels
0 Karma
Reply

uagraw01
Motivator
‎06-20-2024 10:54 PM

 

index=ABC sourcetype="stalogmessage" 
| fields _raw 
| spath output=statistical_element "StaLogMessage.StatisticalElement" 
| spath output=statistical_subject "StaLogMessage.StatisticalElement.StatisticalSubject" 
| fields - _raw
| mvexpand statistical_element  
| mvexpand statistical_subject
| spath input=statistical_element output=statistical_item "StatisticalItem"
| spath input=statistical_item output=StatisticalId "StatisticalId"
| spath input=statistical_item output=Value "Value"
| spath input=statistical_subject output=SubjectType "SubjectType"
| where SubjectType="ORDER_RECIPE"
| stats count by StatisticalId Value SubjectType _time
| lookup detail_lfl.csv StatisticalID as StatisticalId SubjectType as SubjectType OUTPUTNEW SymbolicName
| mvexpand SymbolicName
| where SymbolicName="UTILISATION" 
|  strcat "raw" "," SymbolicName group_name
| stats min(Value) AS min_value, max(Value) AS max_value, sum(Value) AS sum_value, count AS count BY SymbolicName group_name StatisticalId _time
| eval min_value=coalesce(min_value,value), max_value=coalesce(max_value,value), sum_value=coalesce(sum_value,value), count=coalesce(count,1) 
| fields StatisticalId min_value max_value sum_value count group_name _time
| dedup StatisticalId _time group_name
| fields - _virtual_ _cd_ 
| fillnull value="" 
| timechart span=1h minspan=3600s eval(round(min(min_value),2)) AS "Minimum", eval(round(max(max_value),2)) AS "Maximum", eval(round(sum(sum_value),2)) AS summed, eval(round(sum(count),2)) AS counted 
| eval "Average" = round(summed/counted, 2) 
| fields - summed counted

 

 

As I am using above query to visualize the graph in Maximum , minimum and average. But my values are looking different.

uagraw01_0-1718949107434.png

 

 Expected result I want :

uagraw01_2-1718949246939.png

@bowesmana Please help me what I need to fix in the query to achieve expected results. 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-21-2024 01:14 AM

At the very basic level you are producing a timechart with a span=1h and you want a time chart with a daily set of numbers, so that's wrong.

However, it's impossible to say what is going on here, you have so much going on in the search.

You have to go back to basics, which means start with the basic data and at EACH step of your SPL make sure the data is giving you what you expect.

So, take a very small sample set of data and run the SPL line by line, check the output after each line. When you are happy that the data is giving you the correct output from 1 line of SPL, add in the next line.

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-19-2024 03:42 PM

What is the x-axis you need.

You have 3 fields output in your search

| table StatisticalId Value Unit

and there is a lot of mvexpand logic going on... and that seems like you are going to multiple your data significantly as there's no correlation between each of the MV values you are expanding.

That aside, the basic command to create the chart would be something like

| chart max(Value) over Unit by StatisticalId

which would put Unit on the x-axis. Swap Unit and StatisticalId to make StatisticalId the x-axis

 

Reply

uagraw01
Motivator
‎06-21-2024 12:55 AM

@bowesmana  In x-axis I am having time.

0 Karma
Reply

dataisbeautiful
Path Finder
‎06-19-2024 03:50 AM

HI @uagraw01 

Try this: Data display > Data value display: All.

dataisbeautiful_0-1718794172946.png

 

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...