Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Chart Multiple (4) Fields

arielpconsolaci
Path Finder
‎06-22-2017 09:18 PM

Is it possible to create a chart out of 4 fields in Splunk?
I am trying to create a chart shown below but I was only able to using 3 fields (without the status). My given data have 4 fields. Any suggestions to this? Thanks in advance.alt text

Preview file
83 KB
0 Karma
Reply

cmerriman
Super Champion
‎06-23-2017 04:49 AM

what version of splunk are you currently running? if you are on 6.6, i would recommend the new Trellis feature for this. 

| makeresults |eval data="_time=1498217650,component=A,status=running,no=10 _time=1498217651,component=A,status=running,no=20 _time=1498217652,component=A,status=offline,no=10 _time=1498217653,component=A,status=online,no=30 _time=1498217650,component=B,status=running,no=20 _time=1498217651,component=B,status=offline,no=40 _time=1498217652,component=B,status=offline,no=10 _time=1498217653,component=B,status=running,no=40"|makemv data |mvexpand data|eval _raw=data|kv|eval _time=time|stats values(no) as no by _time component status|eval{status}=no|fields - status - no

you can split each component into its own chart with the same query. Splunk does not currently have a way, that I know of, to allow for multi-level x-axis, like Excel does, and the trellis feature is a close second.

0 Karma
Reply

HeinzWaescher
Motivator
‎06-23-2017 12:18 AM

What about something like:

index=component_server
| timechart span=1m sum(No.), values(status) AS status by component
| fillnull value=0

0 Karma
Reply

arielpconsolaci
Path Finder
‎06-23-2017 02:26 AM

Thank you for this suggestion @HeinzWaescher. This however does not show the 'Status'.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-22-2017 10:26 PM

ok, please check this... as timechart by Status can be one idea.. please check the image. 

sourcetype="csvtest" | timechart span=1m sum(No) by Status | fillnull value=0

alt text

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Preview file
90 KB
Reply

arielpconsolaci
Path Finder
‎06-23-2017 12:08 AM

Thank you for this, @inventsekar. However, i'd need a chart (based on component and status) close to the screenshot i've sent above.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-22-2017 09:30 PM

may we know your current splunk search query..
you can do some split by or layered/multi-stack options I think.
one question - how status can be embedded on this chart - is a tricky issue.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

arielpconsolaci
Path Finder
‎06-22-2017 09:37 PM

Thank you for your response @inventsekar.

My query is as simple as below.

index=component_server
| timechart span=1m sum(No.) by Component
| fillnull value=0

Yes. I am having troubles incorporating the 'Status'. Can you advise on this?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...