Splunk Search

Bubble Graph percentage X axis trouble.

Cuyose
Builder

I have a graph where everything looks visually correct; however, the numbers are all off. In the example below the x axis is supposed to represent a %, so 0-100 is all that should be possible. I've gone through a ton of iterations and this is one that graphically looks fine, but numbers don't work. X axis goes to over 200, and when you hover over the bubbles, the value that normally would be taken from the x axis and displayed is blank(3rd data row down when hover over in bubble chart)

index=app sourcetype=type host=host  Action=* ID=* LOCATION=* ROLE=* 
|eval Duration=DurationTotal/1000  
|transaction ID startswith=EndCall  maxspan=1h maxpause=15m eventcount
|eval percent=(Duration/duration)
|stats dc(Action) as dActions, sum(eventcount) as eventcounts, sum(duration) as calldurations,avg(percent) as PercentInApp by ID LOCATION ROLE|where dActions>3
|stats  avg(PercentInApp) as PercentInApp ,avg(calldurations) as AverageCallDuration, c as TotalCalls  by LOCATION ROLE
|eval PercentInApp=round(PercentInApp*100,2)

I swear I had this working fine earlier, but lost the query and had to restart. How can I get the bubbles on the X axis to represent the PercentInApp correctly?

0 Karma
1 Solution

Cuyose
Builder

OK, figured it out. Hope this may help someone else. I've kinda been on a bubble chart kick lately. Been remembering the cadence. Its all driven on the last stats command.
1st stat is x axis, 2nd is y axis, 3rd is bubble size (should be count or integer), then the 1st by clause is just a label in the hover-over (no visual representation in the graph), second by clause is the legend and will make different color bubbles. If you only have one "by" clause all bubbles will be the same color and there will be a "null" legend.

index=app sourcetype=type host=host  Action=* ID=* LOCATION=* ROLE=* 
    |eval Duration=DurationTotal/1000  
    |transaction ID startswith=EndCall  maxspan=1h maxpause=15m eventcount
    |stats dc(Action) as dActions,  sum(duration) as calldurations,sum(Duration) as appduration by ID LOCATION ROLE|where dActions>3
    |eval percentapp=round(appduration/calldurations*100,0)
    |stats  avg(percentapp) as PercentInApp,avg(calldurations) as AverageCallDuration, c as TotalCalls  by LOCATION ROLE

View solution in original post

0 Karma

Cuyose
Builder

OK, figured it out. Hope this may help someone else. I've kinda been on a bubble chart kick lately. Been remembering the cadence. Its all driven on the last stats command.
1st stat is x axis, 2nd is y axis, 3rd is bubble size (should be count or integer), then the 1st by clause is just a label in the hover-over (no visual representation in the graph), second by clause is the legend and will make different color bubbles. If you only have one "by" clause all bubbles will be the same color and there will be a "null" legend.

index=app sourcetype=type host=host  Action=* ID=* LOCATION=* ROLE=* 
    |eval Duration=DurationTotal/1000  
    |transaction ID startswith=EndCall  maxspan=1h maxpause=15m eventcount
    |stats dc(Action) as dActions,  sum(duration) as calldurations,sum(Duration) as appduration by ID LOCATION ROLE|where dActions>3
    |eval percentapp=round(appduration/calldurations*100,0)
    |stats  avg(percentapp) as PercentInApp,avg(calldurations) as AverageCallDuration, c as TotalCalls  by LOCATION ROLE
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...