Splunk Search

Chart question

kennethyeung
New Member

i have a table like
date. prduct, price
171015, abc, 10
171015, CDE, 15
171014, abc, 8
171014 CDE, 9

how can i put it like that
Date ABC, CDE
171015, 10,15
171014, 9,8

also is it how to visualization

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi kennethyeung,
try something like this

index=your_index
| chart values(price) AS price over Date by product

Bye.
Giuseppe

View solution in original post

0 Karma

niketn
Legend

Will you be having only one price per product per day?

Following is run anywhere search. Commands till table are used to mock the data provided in the question. You need to apply the commands after that to your base search and use the Column or Line Chart to visualize the data:

| makeresults
| eval data="171015,abc,10;171015,CDE,15;171014,abc,8;171014,CDE,9"
| makemv data delim=";" 
| mvexpand data
| makemv data delim=","
| eval date=mvindex(data,0)
| eval product=mvindex(data,1)
| eval price=mvindex(data,2)
| table date product price
| fieldformat date=strftime(strptime(date,"%y%m%d"),"%Y/%m/%d")
| chart last(price) as price over date by product
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kennethyeung
New Member

not work as my expect,
you search data is type by myself , not search from the result.

0 Karma

niketn
Legend

@kennethyeung, as stated I had provided run anywhere search for testing out with the sample data provided in your question. You required to apply the final two command i.e. fieldformat and chart to your existing search.

In case per day you can have more than one values of each component you should use last(), first(), min() or max() of price rather than values() which will return multiple values for price hence will not show up on chart.

Since you already have found a working answer, I am expecting you do not have more than one price per component per day. Cheers 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi kennethyeung,
try something like this

index=your_index
| chart values(price) AS price over Date by product

Bye.
Giuseppe

0 Karma

kennethyeung
New Member

Thanks. this is what i want

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...