Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Chart question

kennethyeung
New Member
‎10-15-2017 01:33 AM

i have a table like
date. prduct, price
171015, abc, 10
171015, CDE, 15
171014, abc, 8
171014 CDE, 9

how can i put it like that
Date ABC, CDE
171015, 10,15
171014, 9,8

also is it how to visualization

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-15-2017 01:45 AM

Hi kennethyeung,
try something like this

index=your_index
| chart values(price) AS price over Date by product

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎10-15-2017 01:50 AM

Will you be having only one price per product per day?

Following is run anywhere search. Commands till table are used to mock the data provided in the question. You need to apply the commands after that to your base search and use the Column or Line Chart to visualize the data:

| makeresults
| eval data="171015,abc,10;171015,CDE,15;171014,abc,8;171014,CDE,9"
| makemv data delim=";" 
| mvexpand data
| makemv data delim=","
| eval date=mvindex(data,0)
| eval product=mvindex(data,1)
| eval price=mvindex(data,2)
| table date product price
| fieldformat date=strftime(strptime(date,"%y%m%d"),"%Y/%m/%d")
| chart last(price) as price over date by product
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

kennethyeung
New Member
‎10-15-2017 03:25 AM

not work as my expect,
you search data is type by myself , not search from the result.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎10-15-2017 12:57 PM

@kennethyeung, as stated I had provided run anywhere search for testing out with the sample data provided in your question. You required to apply the final two command i.e. fieldformat and chart to your existing search.

In case per day you can have more than one values of each component you should use last(), first(), min() or max() of price rather than values() which will return multiple values for price hence will not show up on chart.

Since you already have found a working answer, I am expecting you do not have more than one price per component per day. Cheers 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-15-2017 01:45 AM

Hi kennethyeung,
try something like this

index=your_index
| chart values(price) AS price over Date by product

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

kennethyeung
New Member
‎10-15-2017 03:27 AM

Thanks. this is what i want

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...