Splunk Search

Any way to use _time with a bubble or scatter chart?

Contributor

I need to show changes of a numeric state over time, of multiple series. Several state changes may happen very quickly, which a single aggregation in timechart will just swallow. Ideally I'd like to visualize all of the unique values that happened for a given series in a given time slice.

A scatter chart seems to make sense, but it doesn't appear to support _time for the X-axis in any sane way. Hopefully I'm just missing some setting?

What I've tried is essentially:

search... | bucket bins=500 _time | rename _time as t | table series t state_value

You end up with either the epoch as the x, or 0-(max(_time)-min(_time)) if you use _time. Formatting the date string doesn't seem to work, either.

Another approach that would be really cool would be the ability to do this:

search... | timechart values(state_value) by series

Even if this just showed the max and min in the slice in the same line, that'd be acceptable.

I see from an ancient question that timechart used to support values(foo), but now it doesn't appear to actually draw anything if there are multiple values returned in a particular time bucket.

Thoughts?

Splunk Employee
Splunk Employee

Another option for the visualization that uses the min/max value query

index="456278" | timechart span=7d max(state) as max, min(state) as min by series format="$VAL$ $AGG$"

Is the "Horizon Chart - Custom Visualization" on Splunkbase https://splunkbase.splunk.com/app/3117/

This has the advantage of being able to pull a line across the charts that shows the values. So you can see the min/max for a certain time period.

So you end up with something a bit like this -

alt text

0 Karma

Contributor

That's interesting. Downloading...

0 Karma

SplunkTrust
SplunkTrust

Not sure if this helps, but you can make a new field just concatenating your state and your series values. Then have timechart split by that. My first thought reading this also, was do break it into two problems - merely chart the dc(state) in your timechart, and on the drilldown click, display to the user what the actual values were.

Also one bizarre workaround that can give a little mileage would be a) to go into the formatting and tell it to not connect lines between gaps. b) use SPL shenanigans to interpolate a row with the right _time value in between every existing row. But have all the other fields blank on these interpolated rows. In this way a line chart becomes effectively a scatter chart. =/

Here's a concocted search result I was using to play around with the problem.

| makeresults count=200 | eval _time=now() | streamstats count | eval _time=_time+60*count | eval mod5=count - 5*floor(count/5) | eval mod11=count - 11*floor(count/11) | eval combined=mod5 + " - " + mod11

and here's the same search with a timechart splitting things out.

| makeresults count=200 | eval _time=now() | streamstats count | eval _time=_time+60*count | eval mod5=count - 5*floor(count/5) | eval mod11=count - 11*floor(count/11) | eval combined=mod5 + " - " + mod11 | timechart count by combined

hope that helps.

0 Karma

Contributor

Hey man, long time no see.

That would show every point, for sure, but the coloring gets even worse, since I wouldn't actually know how many series would be there.

You're possibly right that drawing this in two steps is actually the best option.

0 Karma

SplunkTrust
SplunkTrust

o/ ikr. Nice to see you too.

0 Karma

Splunk Employee
Splunk Employee

The best I could do was to plot max/min for each series on a line chart using

index="456278" | timechart span=7d max(state) as max, min(state) as min by series

You could also change the colourings on the max/min series pair lines so they matched up - http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/ChartConfigurationReference#General_chart_prop...

0 Karma

Splunk Employee
Splunk Employee

Using

index="456278" | timechart span=7d max(state) as max, min(state) as min by series format="$VAL$ $AGG$"

with format will place max/min legends next to each other, for easier comparison between values.

0 Karma

Contributor

That does get the legend items together, but the lines are pretty unreadable. If I knew what the series names could be, I could specify the colors, but in this case, of course they're dynamic. I suppose I could make a long list of colors, repeating the colors. Hmm.

What would be the absolute best would be something like this:

scatter, or line chart with points but no lines:
index="456278" | timechart span=7d values(state) as values by series
with an overlaid line:
index="456278" | timechart span=7d last(state) as last by series | filldown

0 Karma

Splunk Employee
Splunk Employee

Using the seriesColors option you don't need to know the names of your series ahead of time. So you can create pairs of colors instead.

<option name="charting.seriesColors">[0x1e93c6, 0x1e93c6, 0xf2b827, 0xf2b827, 0xd6563c, 0xd6563c, 0x6a5c9e, 0x6a5c9e</option>

Here is a full example -

<dashboard>
  <label>456278</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>index="456278" | timechart span=7d max(state) as max, min(state) as min by series format="$$VAL$$ $$AGG$$"</query>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.seriesColors">[0x1e93c6, 0x1e93c6, 0xf2b827, 0xf2b827, 0xd6563c, 0xd6563c, 0x6a5c9e, 0x6a5c9e</option>
      </chart>
    </panel>
  </row>
</dashboard>

Also note the use of double $ ($$) in the dashboard as the $ needs to be escaped.

So the above works with the standard charting options within Splunk.

Another alternative would be to build a custom vizualization but this would likely take a bit of time to create.

0 Karma

Contributor

Yep, that was my last experiment. I actually ended tripling the colors, and drawing min max and last, then using filldown on last*. This draws the min and max as points, and the last value in the time slice draws off to the right.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!