Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I make sichart behave like chart?

rharrigan
Engager
‎04-07-2017 08:31 AM

So I have a working query that uses chart to visualize some data by some categories. Example:

index=myData | chart count by site pagetype

Which gives me a table with:

Site   site_type1   site_type2 
site1        55            505
site2        505           55

So I can visualize data with something like a stacked bar chart showing how each site type contributes to each site. Since we want to look at this over months though it can get quite slow to count that many events so I set up a summary index to run hourly to improve performance. It includes a split by site and pagetype so all of the information is preserved into hourly counts, 

index=myData | sistats count by site pagetype other_thing1 other_thing2

This runs hourly to speed up report generation and has worked well for some reports. However when I try to replicate the above report with something like 

index=summary_myData | sichart count by site pagetype

The table is different and looks like:

Site     site_type     psrsvd_gc
site1    site_type1      55
site2    site_type1      505
site1    site_type2      505
site2    site_type1      55

The data is clearly all there but this is a terrible way to look at it and the fact that the columns are not formatted correctly means that any visualizations I create are not useful. For example, if I try to create a bar chart I don't get separate bars for each site type.

How can I reconcile the two to look the same so that this speedup is invisible to my report users? Is it even possible?

I have tried:

 sichart count by page over page_type

Which doesn't change anything

sichart count(eval(page_type=="page_type1")) as page_type1 count(eval(page_type=="page_type2")) as page_type2 by site

This also just adds together all of the counts and ignores the as clauses.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-07-2017 09:22 AM

Once you have taken the data out to play, you don't have to stick to the si commands.

This puts the sample data back in as you showed it...

| makeresults
| eval mydata="site1,site_type1,55 site2,site_type1,505 site1,site_type2,505 site2,site_type2,55"
| makemv mydata | mvexpand mydata | table mydata 
| makemv delim="," mydata 
| eval Site=mvindex(mydata,0), site_type =mvindex(mydata,1), psrsvd_gc=mvindex(mydata,2)
| table Site site_type psrsvd_gc

This reformats it back to the way you want it...

| rename psrsvd_gc as count
| chart sum(count) as count by Site site_type

By the way, that output format looks like a great example of the results of the untable command, so exploring how the untable and xyseries commands work could help you effectively manipulate the summary data if it gets any more complicated than the stuff you showed us here.

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-07-2017 09:22 AM

Once you have taken the data out to play, you don't have to stick to the si commands.

This puts the sample data back in as you showed it...

| makeresults
| eval mydata="site1,site_type1,55 site2,site_type1,505 site1,site_type2,505 site2,site_type2,55"
| makemv mydata | mvexpand mydata | table mydata 
| makemv delim="," mydata 
| eval Site=mvindex(mydata,0), site_type =mvindex(mydata,1), psrsvd_gc=mvindex(mydata,2)
| table Site site_type psrsvd_gc

This reformats it back to the way you want it...

| rename psrsvd_gc as count
| chart sum(count) as count by Site site_type

By the way, that output format looks like a great example of the results of the untable command, so exploring how the untable and xyseries commands work could help you effectively manipulate the summary data if it gets any more complicated than the stuff you showed us here.

Reply
Solved! Jump to solution

rharrigan
Engager
‎04-07-2017 12:04 PM

Thanks for the help. It turns out xyseries is what I needed to pull apart the fields so I'll vote this as closed. For anyone interested the results for me was something like | sichart count by site site_type | table site site_type psrsvd_gc | xyseries site site_type psrsvd_gc which yielded the correct table formatting as described above.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎04-07-2017 01:10 PM

Yes, that data sample you posted just screamed "I was created by untable"... and untable's inverse is xyseries.

...Or, in this simple case, chart works too.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...