Splunk Search

Chart question

kennethyeung
New Member

i have a table like
date. prduct, price
171015, abc, 10
171015, CDE, 15
171014, abc, 8
171014 CDE, 9

how can i put it like that
Date ABC, CDE
171015, 10,15
171014, 9,8

also is it how to visualization

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi kennethyeung,
try something like this

index=your_index
| chart values(price) AS price over Date by product

Bye.
Giuseppe

View solution in original post

0 Karma

niketn
Legend

Will you be having only one price per product per day?

Following is run anywhere search. Commands till table are used to mock the data provided in the question. You need to apply the commands after that to your base search and use the Column or Line Chart to visualize the data:

| makeresults
| eval data="171015,abc,10;171015,CDE,15;171014,abc,8;171014,CDE,9"
| makemv data delim=";" 
| mvexpand data
| makemv data delim=","
| eval date=mvindex(data,0)
| eval product=mvindex(data,1)
| eval price=mvindex(data,2)
| table date product price
| fieldformat date=strftime(strptime(date,"%y%m%d"),"%Y/%m/%d")
| chart last(price) as price over date by product
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kennethyeung
New Member

not work as my expect,
you search data is type by myself , not search from the result.

0 Karma

niketn
Legend

@kennethyeung, as stated I had provided run anywhere search for testing out with the sample data provided in your question. You required to apply the final two command i.e. fieldformat and chart to your existing search.

In case per day you can have more than one values of each component you should use last(), first(), min() or max() of price rather than values() which will return multiple values for price hence will not show up on chart.

Since you already have found a working answer, I am expecting you do not have more than one price per component per day. Cheers 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi kennethyeung,
try something like this

index=your_index
| chart values(price) AS price over Date by product

Bye.
Giuseppe

0 Karma

kennethyeung
New Member

Thanks. this is what i want

0 Karma
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...