Splunk Search

## Chart will not show all the values from my search.

Communicator

Doing a search that has a wide range of return values... and the largest one will not display on my chart! I have 7 evals with values, but the chart only display 6 of them! I'm going crazy.

SEARCH:
index=tomcat time_taken_ms=* sourcetype=access_common
|eval Sub1s=if(time_taken_ms>=200 AND time_taken_ms<1000,1,0)
|eval Sub2s=if(time_taken_ms>=1000 AND time_taken_ms<2000,1,0)
|eval Sub3s=if(time_taken_ms>=2000 AND time_taken_ms<3000,1,0)
|eval Sub4s=if(time_taken_ms>=3000 AND time_taken_ms<4000,1,0)
|eval Sub5s=if(time_taken_ms>=4000 AND time_taken_ms<5000,1,0)
|eval Over5s=if(time_taken_ms>=5000 AND time_taken_ms<10000,1,0)
|eval Over10s=if(time_taken_ms>=10000,1,0)
|chart sum(Sub1s) sum(Sub2s) sum(Sub3s) sum(Sub4s) sum(Sub5s) sum(Over5s) sum(Over10s)

PICTURE OUT OUTPUT:

Labels (2)

• ### eval

Tags (4)
1 Solution
Contributor

Although it's intuitive to us, Splunk doesn't quite understand what you're trying to do here. It's assuming your first value, which is sum(Sub1s), is the value you want to chart all of the values by or over.

Try this instead -- I've added a seemingly superfluous eval into a field named time_categories, which is then used with your chart statement:

``````index=tomcat time_taken_ms=* sourcetype=access_common
| eval time_categories = "time_categories"
| eval Sub1s=if(time_taken_ms>=200 AND time_taken_ms<1000,1,0)
| eval Sub2s=if(time_taken_ms>=1000 AND time_taken_ms<2000,1,0)
| eval Sub3s=if(time_taken_ms>=2000 AND time_taken_ms<3000,1,0)
| eval Sub4s=if(time_taken_ms>=3000 AND time_taken_ms<4000,1,0)
| eval Sub5s=if(time_taken_ms>=4000 AND time_taken_ms<5000,1,0)
| eval Over5s=if(time_taken_ms>=5000 AND time_taken_ms<10000,1,0)
| eval Over10s=if(time_taken_ms>=10000,1,0)
| chart sum(Sub1s) sum(Sub2s) sum(Sub3s) sum(Sub4s) sum(Sub5s) sum(Over5s) sum(Over10s) BY time_categories
``````

There's also another way of doing this without so much maintenance...

If you wanted to add another time category with your current query, you'd have to add the new eval statement and update your chart statement. Rather than individual fields, why not make a single field and use an eval case combination?

``````index=tomcat time_taken_ms=* sourcetype=access_common
| eval time_category = case(time_taken_ms>=200 AND time_taken_ms<1000,"Sub1s",time_taken_ms>=1000 AND time_taken_ms<2000,"Sub2s",time_taken_ms>=2000 AND time_taken_ms<3000,"Sub3s",time_taken_ms>=3000 AND time_taken_ms<4000,"Sub4s",time_taken_ms>=4000 AND time_taken_ms<5000,"Sub5s",time_taken_ms>=5000 AND time_taken_ms<10000,"Over5s",time_taken_ms>=10000,"Over10s")
| chart count by time_category
``````

Now adding a new time category is as simple as updating the case statement. The chart statement will automatically pick it up.

Hope that helps!
rmmiller

Contributor

Although it's intuitive to us, Splunk doesn't quite understand what you're trying to do here. It's assuming your first value, which is sum(Sub1s), is the value you want to chart all of the values by or over.

Try this instead -- I've added a seemingly superfluous eval into a field named time_categories, which is then used with your chart statement:

``````index=tomcat time_taken_ms=* sourcetype=access_common
| eval time_categories = "time_categories"
| eval Sub1s=if(time_taken_ms>=200 AND time_taken_ms<1000,1,0)
| eval Sub2s=if(time_taken_ms>=1000 AND time_taken_ms<2000,1,0)
| eval Sub3s=if(time_taken_ms>=2000 AND time_taken_ms<3000,1,0)
| eval Sub4s=if(time_taken_ms>=3000 AND time_taken_ms<4000,1,0)
| eval Sub5s=if(time_taken_ms>=4000 AND time_taken_ms<5000,1,0)
| eval Over5s=if(time_taken_ms>=5000 AND time_taken_ms<10000,1,0)
| eval Over10s=if(time_taken_ms>=10000,1,0)
| chart sum(Sub1s) sum(Sub2s) sum(Sub3s) sum(Sub4s) sum(Sub5s) sum(Over5s) sum(Over10s) BY time_categories
``````

There's also another way of doing this without so much maintenance...

If you wanted to add another time category with your current query, you'd have to add the new eval statement and update your chart statement. Rather than individual fields, why not make a single field and use an eval case combination?

``````index=tomcat time_taken_ms=* sourcetype=access_common
| eval time_category = case(time_taken_ms>=200 AND time_taken_ms<1000,"Sub1s",time_taken_ms>=1000 AND time_taken_ms<2000,"Sub2s",time_taken_ms>=2000 AND time_taken_ms<3000,"Sub3s",time_taken_ms>=3000 AND time_taken_ms<4000,"Sub4s",time_taken_ms>=4000 AND time_taken_ms<5000,"Sub5s",time_taken_ms>=5000 AND time_taken_ms<10000,"Over5s",time_taken_ms>=10000,"Over10s")
| chart count by time_category
``````

Now adding a new time category is as simple as updating the case statement. The chart statement will automatically pick it up.

Hope that helps!
rmmiller

Communicator

This method works pretty well actually. Thank You. Instead of focusing on the actual time value, I can group these and just show the counts of the transactions that did happen in less than 1sec, between 2 and 3sec, etc. Charts much better. Appreciate the help. Great community.

Contributor

Glad to hear it works well for you!

Happy Splunking!

-rmmiller

Tags (1)
Contributor

Get Updates on the Splunk Community!

#### Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

#### Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

#### Take the 2021 Splunk Career Survey for \$50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...