Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chart question

kennethyeung
New Member
‎10-15-2017 01:33 AM

i have a table like
date. prduct, price
171015, abc, 10
171015, CDE, 15
171014, abc, 8
171014 CDE, 9

how can i put it like that
Date ABC, CDE
171015, 10,15
171014, 9,8

also is it how to visualization

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-15-2017 01:45 AM

Hi kennethyeung,
try something like this

index=your_index
| chart values(price) AS price over Date by product

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎10-15-2017 01:50 AM

Will you be having only one price per product per day?

Following is run anywhere search. Commands till table are used to mock the data provided in the question. You need to apply the commands after that to your base search and use the Column or Line Chart to visualize the data:

| makeresults
| eval data="171015,abc,10;171015,CDE,15;171014,abc,8;171014,CDE,9"
| makemv data delim=";" 
| mvexpand data
| makemv data delim=","
| eval date=mvindex(data,0)
| eval product=mvindex(data,1)
| eval price=mvindex(data,2)
| table date product price
| fieldformat date=strftime(strptime(date,"%y%m%d"),"%Y/%m/%d")
| chart last(price) as price over date by product
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

kennethyeung
New Member
‎10-15-2017 03:25 AM

not work as my expect,
you search data is type by myself , not search from the result.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎10-15-2017 12:57 PM

@kennethyeung, as stated I had provided run anywhere search for testing out with the sample data provided in your question. You required to apply the final two command i.e. fieldformat and chart to your existing search.

In case per day you can have more than one values of each component you should use last(), first(), min() or max() of price rather than values() which will return multiple values for price hence will not show up on chart.

Since you already have found a working answer, I am expecting you do not have more than one price per component per day. Cheers 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-15-2017 01:45 AM

Hi kennethyeung,
try something like this

index=your_index
| chart values(price) AS price over Date by product

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

kennethyeung
New Member
‎10-15-2017 03:27 AM

Thanks. this is what i want

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...