Splunk Search

Bubble Charts input data structure [lacking documentation]

splunk_zen
Builder

From the latest docs, this is the simplest prerequisite to build a bubble chart,

"1. A single series structure that contains 3 columns. The first column (column 0) contains the values to be plotted on the x-axis. The second column (column 1) contains the values to be plotted on the y-axis. And the third column (column 2) contains the values to be plotted on the z-axis."

then why does the bubble chart fail to draw anything

(it originally was charting some nonsense bubbles when I was incorrectly feeding the _time field to the y axis)

when I build a search which feeds it the following table?

_time category count
7/4/12 1:00:00.291 PM TIMEOUT 10
7/4/12 4:00:00.294 PM HIT_MAX_REQ_LIMIT 3
7/4/12 1:00:00.296 PM ORA_EXCEPTIONS 1
7/4/12 4:00:00.296 PM ORA_EXCEPTIONS 0
7/4/12 1:00:00.300 PM HIT_MAX_REQ_LIMIT 2
7/4/12 4:00:00.291 PM HIT_MAX_REQ_LIMIT 1

This is my simple XML content,

  <option name="charting.chart">bubble</option>
  <earliestTime>-48h@h</earliestTime>
  <latestTime>now</latestTime>

How should I use them ?

Splunk devs, please further improve the bubble charts documentation with an example.

Tags (3)
1 Solution

mattness
Splunk Employee
Splunk Employee

I've consulted Splunk's expert on chart visualization issues and as it turns out when you've selected the "bubble" chart type in simple XML, Splunk will by default expect the y-axis to be a numeric value. This is (probably) why you're running into trouble.

You should be able to override this by changing the y-axis parameter in the simple XML for the chart. Try adding this line to the bubble chart XML and see if it doesn't solve your problem:

<option name="charting.axisY">category</option>

If it does I'll get the docs updated so they make this issue more clear.

(Note: The use of "category" here is not a reference to your "category" field, but rather an indication that you want the y-axis to display categorical values--strings, as opposed to numbers or timestamps. For more info see the topic on charting library axis parameters.)

View solution in original post

mattness
Splunk Employee
Splunk Employee

I've consulted Splunk's expert on chart visualization issues and as it turns out when you've selected the "bubble" chart type in simple XML, Splunk will by default expect the y-axis to be a numeric value. This is (probably) why you're running into trouble.

You should be able to override this by changing the y-axis parameter in the simple XML for the chart. Try adding this line to the bubble chart XML and see if it doesn't solve your problem:

<option name="charting.axisY">category</option>

If it does I'll get the docs updated so they make this issue more clear.

(Note: The use of "category" here is not a reference to your "category" field, but rather an indication that you want the y-axis to display categorical values--strings, as opposed to numbers or timestamps. For more info see the topic on charting library axis parameters.)

mattness
Splunk Employee
Splunk Employee

The bubbles are the same color because you've set this up as a single series bubble chart. To get different colors, you'd need to configure the chart to handle multiple series. This would utilize a four-column table, where the first column would be the series (in your case, most likely the "category" field), and then the other three would be the x, y, and z axes respectively.

I'll look into the zero value issue.

Have you considered going with a stacked column chart instead? It seems like that would do a better job of expressing what you're trying to express here.

splunk_zen
Builder

Also,
I expected a bubble to not be charted when the y axis value has a corresponding z axis 0 value.
I tried both the following lines but the 0 value bubbles kept being drawn,
0
false

0 Karma

splunk_zen
Builder

mattness,
category
did indeed get the bubble chart closer to what I need.
https://dl.dropbox.com/u/927023/bubble2.PNG

However, why are all the bubbles the same color (when there are several diferent y axis metrics)?

0 Karma

splunk_zen
Builder

I do appreciate it. Thank you.
I will try it tomorrow as soon as I arrive to work.

Could you please take a look in my initial question http://splunk-base.splunk.com/answers/52300/search-generate-a-time-causes-count-collums-table and clarify if I indeed need to transform the data (or if there is a simpler way) into the aforementioned table ?

0 Karma

splunk_zen
Builder

For the record,
this doubt is related to my initial question,
http://splunk-base.splunk.com/answers/52300/search-generate-a-time-causes-count-collums-table

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...