Hi all,
I am having issues with creating column chart visualization.
I have for example table that looks like this:
field1 field2 field3 field4
20 10 30 15
What i am trying to do is to create two stacked columns with different colors for every value , for field1+field2 and field3+field4. which means every field will have its own color.
Thanks for the helpers !
@astatrial you would need to add a little bit more context to your question. Which is the correlation field for your above results which links field1 with field2 and field3 with field4. Unless you have that you can not create Stacked chart.
Following is a run anywhere example where I have used cat1 and cat2 as the correlation categories:
| makeresults
| fields - _time
| eval data="cat1,field1=20;cat1,field2=10;cat2,field3=30;cat2,field4=15"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval category=mvindex(data,0), _raw=mvindex(data,1)
| fields - data
| KV
| fields - _raw
| chart last(*) as * by category
Do u have a time field in your graph? Time is required to plot your field values in a graph. Please check this code:
<dashboard>
<label>column chart</label>
<row>
<panel>
<chart>
<search>
<query>| makeresults | eval field1=10 | eval field2=16 | eval field3=6 | eval field4=4 | eval time="2019-08-01 13:13"
| append [| makeresults | eval field1=20 | eval field2=5 | eval field3=11 | eval field4=9 | eval time="2019-08-01 14:13"]
| append [| makeresults | eval field1=15 | eval field2=26 | eval field3=17 | eval field4=17 | eval time="2019-08-01 15:13"]
| append [| makeresults | eval field1=26 | eval field2=13 | eval field3=25 | eval field4=26 | eval time="2019-08-01 16:13"]
| eval newfield1=field1+field2 | eval newfield2=field3+field4 | table time newfield1 newfield2</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="charting.fieldColors">{"newfield1": 0x0583F2,"newfield2": 0x05DBF2}</option>
</chart>
</panel>
</row>
</dashboard>
Hi astatrial,
can you share something about your search?
Anyway If you have a limited range of values:
index=my index
| stats count(eval(field1)) AS field1 count(eval(field2)) AS field2 count(eval(field3)) AS field3 count(eval(field4)) AS field4
then you can assign colours following the hints of the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) "Table Formats":
<format type="color" field="field1">
<colorPalette type="list">[#65A637,#65A637]</colorPalette>
<scale type="threshold">0,100</scale>
</format>
Bye.
Giuseppe
@astatrial you would need to add a little bit more context to your question. Which is the correlation field for your above results which links field1 with field2 and field3 with field4. Unless you have that you can not create Stacked chart.
Following is a run anywhere example where I have used cat1 and cat2 as the correlation categories:
| makeresults
| fields - _time
| eval data="cat1,field1=20;cat1,field2=10;cat2,field3=30;cat2,field4=15"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval category=mvindex(data,0), _raw=mvindex(data,1)
| fields - data
| KV
| fields - _raw
| chart last(*) as * by category
That worked perfectly!
I was well aware of the correlation field but i didn't think about double make mv by two delimiters.
Also i wasn't aware of the KV command.
Can you tell me a little bit more about it ? I coudn't find any docs about it.
Any way i accepted the answer 🙂
makemv and mvexpand are only good for these run anywhere example. With your actual data if you are working with multi-valued fields you should re-think how and why you ended up with those and can you avoid them.
KV command and extract command allow you to extract fields from raw data 🙂 Again we use them mostly for Run anywhere examples as Splunk would perform field extractions on indexed data by default.
I myself learnt it on Splunk Answers.
I customized what you suggested to my data.
Thanks for everything !