Splunk Search

Any way to use _time with a bubble or scatter chart?

vbumgarner
Contributor

I need to show changes of a numeric state over time, of multiple series. Several state changes may happen very quickly, which a single aggregation in timechart will just swallow. Ideally I'd like to visualize all of the unique values that happened for a given series in a given time slice.

A scatter chart seems to make sense, but it doesn't appear to support _time for the X-axis in any sane way. Hopefully I'm just missing some setting?

What I've tried is essentially:

search... | bucket bins=500 _time | rename _time as t | table series t state_value

You end up with either the epoch as the x, or 0-(max(_time)-min(_time)) if you use _time. Formatting the date string doesn't seem to work, either.

Another approach that would be really cool would be the ability to do this:

search... | timechart values(state_value) by series

Even if this just showed the max and min in the slice in the same line, that'd be acceptable.

I see from an ancient question that timechart used to support values(foo), but now it doesn't appear to actually draw anything if there are multiple values returned in a particular time bucket.

Thoughts?

msivill_splunk
Splunk Employee
Splunk Employee

Another option for the visualization that uses the min/max value query

index="456278" | timechart span=7d max(state) as max, min(state) as min by series format="$VAL$ $AGG$"

Is the "Horizon Chart - Custom Visualization" on Splunkbase https://splunkbase.splunk.com/app/3117/

This has the advantage of being able to pull a line across the charts that shows the values. So you can see the min/max for a certain time period.

So you end up with something a bit like this -

alt text

0 Karma

vbumgarner
Contributor

That's interesting. Downloading...

0 Karma

sideview
SplunkTrust
SplunkTrust

Not sure if this helps, but you can make a new field just concatenating your state and your series values. Then have timechart split by that. My first thought reading this also, was do break it into two problems - merely chart the dc(state) in your timechart, and on the drilldown click, display to the user what the actual values were.

Also one bizarre workaround that can give a little mileage would be a) to go into the formatting and tell it to not connect lines between gaps. b) use SPL shenanigans to interpolate a row with the right _time value in between every existing row. But have all the other fields blank on these interpolated rows. In this way a line chart becomes effectively a scatter chart. =/

Here's a concocted search result I was using to play around with the problem.

| makeresults count=200 | eval _time=now() | streamstats count | eval _time=_time+60*count | eval mod5=count - 5*floor(count/5) | eval mod11=count - 11*floor(count/11) | eval combined=mod5 + " - " + mod11

and here's the same search with a timechart splitting things out.

| makeresults count=200 | eval _time=now() | streamstats count | eval _time=_time+60*count | eval mod5=count - 5*floor(count/5) | eval mod11=count - 11*floor(count/11) | eval combined=mod5 + " - " + mod11 | timechart count by combined

hope that helps.

0 Karma

vbumgarner
Contributor

Hey man, long time no see.

That would show every point, for sure, but the coloring gets even worse, since I wouldn't actually know how many series would be there.

You're possibly right that drawing this in two steps is actually the best option.

0 Karma

sideview
SplunkTrust
SplunkTrust

o/ ikr. Nice to see you too.

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

The best I could do was to plot max/min for each series on a line chart using

index="456278" | timechart span=7d max(state) as max, min(state) as min by series

You could also change the colourings on the max/min series pair lines so they matched up - http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/ChartConfigurationReference#General_chart_prop...

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

Using

index="456278" | timechart span=7d max(state) as max, min(state) as min by series format="$VAL$ $AGG$"

with format will place max/min legends next to each other, for easier comparison between values.

0 Karma

vbumgarner
Contributor

That does get the legend items together, but the lines are pretty unreadable. If I knew what the series names could be, I could specify the colors, but in this case, of course they're dynamic. I suppose I could make a long list of colors, repeating the colors. Hmm.

What would be the absolute best would be something like this:

scatter, or line chart with points but no lines:
index="456278" | timechart span=7d values(state) as values by series
with an overlaid line:
index="456278" | timechart span=7d last(state) as last by series | filldown

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

Using the seriesColors option you don't need to know the names of your series ahead of time. So you can create pairs of colors instead.

<option name="charting.seriesColors">[0x1e93c6, 0x1e93c6, 0xf2b827, 0xf2b827, 0xd6563c, 0xd6563c, 0x6a5c9e, 0x6a5c9e</option>

Here is a full example -

<dashboard>
  <label>456278</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="456278" | timechart span=7d max(state) as max, min(state) as min by series format="$$VAL$$ $$AGG$$"</query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.seriesColors">[0x1e93c6, 0x1e93c6, 0xf2b827, 0xf2b827, 0xd6563c, 0xd6563c, 0x6a5c9e, 0x6a5c9e</option>
      </chart>
    </panel>
  </row>
</dashboard>

Also note the use of double $ ($$) in the dashboard as the $ needs to be escaped.

So the above works with the standard charting options within Splunk.

Another alternative would be to build a custom vizualization but this would likely take a bit of time to create.

0 Karma

vbumgarner
Contributor

Yep, that was my last experiment. I actually ended tripling the colors, and drawing min max and last, then using filldown on last*. This draws the min and max as points, and the last value in the time slice draws off to the right.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...