Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Chart Multiple (4) Fields

arielpconsolaci
Path Finder
‎06-22-2017 09:18 PM

Is it possible to create a chart out of 4 fields in Splunk?
I am trying to create a chart shown below but I was only able to using 3 fields (without the status). My given data have 4 fields. Any suggestions to this? Thanks in advance.alt text

Preview file
83 KB
0 Karma
Reply

cmerriman
Super Champion
‎06-23-2017 04:49 AM

what version of splunk are you currently running? if you are on 6.6, i would recommend the new Trellis feature for this. 

| makeresults |eval data="_time=1498217650,component=A,status=running,no=10 _time=1498217651,component=A,status=running,no=20 _time=1498217652,component=A,status=offline,no=10 _time=1498217653,component=A,status=online,no=30 _time=1498217650,component=B,status=running,no=20 _time=1498217651,component=B,status=offline,no=40 _time=1498217652,component=B,status=offline,no=10 _time=1498217653,component=B,status=running,no=40"|makemv data |mvexpand data|eval _raw=data|kv|eval _time=time|stats values(no) as no by _time component status|eval{status}=no|fields - status - no

you can split each component into its own chart with the same query. Splunk does not currently have a way, that I know of, to allow for multi-level x-axis, like Excel does, and the trellis feature is a close second.

0 Karma
Reply

HeinzWaescher
Motivator
‎06-23-2017 12:18 AM

What about something like:

index=component_server
| timechart span=1m sum(No.), values(status) AS status by component
| fillnull value=0

0 Karma
Reply

arielpconsolaci
Path Finder
‎06-23-2017 02:26 AM

Thank you for this suggestion @HeinzWaescher. This however does not show the 'Status'.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-22-2017 10:26 PM

ok, please check this... as timechart by Status can be one idea.. please check the image. 

sourcetype="csvtest" | timechart span=1m sum(No) by Status | fillnull value=0

alt text

Preview file
90 KB
Reply

arielpconsolaci
Path Finder
‎06-23-2017 12:08 AM

Thank you for this, @inventsekar. However, i'd need a chart (based on component and status) close to the screenshot i've sent above.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-22-2017 09:30 PM

may we know your current splunk search query..
you can do some split by or layered/multi-stack options I think.
one question - how status can be embedded on this chart - is a tricky issue.

0 Karma
Reply

arielpconsolaci
Path Finder
‎06-22-2017 09:37 PM

Thank you for your response @inventsekar.

My query is as simple as below.

index=component_server
| timechart span=1m sum(No.) by Component
| fillnull value=0

Yes. I am having troubles incorporating the 'Status'. Can you advise on this?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...