Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Chart Multiple (4) Fields

arielpconsolaci
Path Finder
‎06-22-2017 09:18 PM

Is it possible to create a chart out of 4 fields in Splunk?
I am trying to create a chart shown below but I was only able to using 3 fields (without the status). My given data have 4 fields. Any suggestions to this? Thanks in advance.alt text

Preview file
83 KB
0 Karma
Reply

cmerriman
Super Champion
‎06-23-2017 04:49 AM

what version of splunk are you currently running? if you are on 6.6, i would recommend the new Trellis feature for this. 

| makeresults |eval data="_time=1498217650,component=A,status=running,no=10 _time=1498217651,component=A,status=running,no=20 _time=1498217652,component=A,status=offline,no=10 _time=1498217653,component=A,status=online,no=30 _time=1498217650,component=B,status=running,no=20 _time=1498217651,component=B,status=offline,no=40 _time=1498217652,component=B,status=offline,no=10 _time=1498217653,component=B,status=running,no=40"|makemv data |mvexpand data|eval _raw=data|kv|eval _time=time|stats values(no) as no by _time component status|eval{status}=no|fields - status - no

you can split each component into its own chart with the same query. Splunk does not currently have a way, that I know of, to allow for multi-level x-axis, like Excel does, and the trellis feature is a close second.

0 Karma
Reply

HeinzWaescher
Motivator
‎06-23-2017 12:18 AM

What about something like:

index=component_server
| timechart span=1m sum(No.), values(status) AS status by component
| fillnull value=0

0 Karma
Reply

arielpconsolaci
Path Finder
‎06-23-2017 02:26 AM

Thank you for this suggestion @HeinzWaescher. This however does not show the 'Status'.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-22-2017 10:26 PM

ok, please check this... as timechart by Status can be one idea.. please check the image. 

sourcetype="csvtest" | timechart span=1m sum(No) by Status | fillnull value=0

alt text

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Preview file
90 KB
Reply

arielpconsolaci
Path Finder
‎06-23-2017 12:08 AM

Thank you for this, @inventsekar. However, i'd need a chart (based on component and status) close to the screenshot i've sent above.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-22-2017 09:30 PM

may we know your current splunk search query..
you can do some split by or layered/multi-stack options I think.
one question - how status can be embedded on this chart - is a tricky issue.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

arielpconsolaci
Path Finder
‎06-22-2017 09:37 PM

Thank you for your response @inventsekar.

My query is as simple as below.

index=component_server
| timechart span=1m sum(No.) by Component
| fillnull value=0

Yes. I am having troubles incorporating the 'Status'. Can you advise on this?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...