Splunk Search

Column chart

astatrial
Contributor

Hi all,
I am having issues with creating column chart visualization.

I have for example table that looks like this:

  field1         field2           field3           field4

   20              10               30               15

What i am trying to do is to create two stacked columns with different colors for every value , for field1+field2 and field3+field4. which means every field will have its own color.

Thanks for the helpers !

0 Karma
1 Solution

niketn
Legend

@astatrial you would need to add a little bit more context to your question. Which is the correlation field for your above results which links field1 with field2 and field3 with field4. Unless you have that you can not create Stacked chart.

Following is a run anywhere example where I have used cat1 and cat2 as the correlation categories:

|  makeresults
|  fields - _time
|  eval data="cat1,field1=20;cat1,field2=10;cat2,field3=30;cat2,field4=15"
|  makemv data delim=";"
|  mvexpand data
|  makemv data delim=","
|  eval category=mvindex(data,0), _raw=mvindex(data,1)
|  fields - data
|  KV
|  fields - _raw
|  chart last(*) as * by category
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

jitendragupta
Path Finder

Do u have a time field in your graph? Time is required to plot your field values in a graph. Please check this code:

<dashboard>
  <label>column chart</label>
  <row>
    <panel>
      <chart>
        <search>
          <query>| makeresults | eval field1=10 | eval field2=16 | eval field3=6 | eval field4=4 | eval time="2019-08-01 13:13"
| append  [| makeresults | eval field1=20 | eval field2=5 | eval field3=11 | eval field4=9 | eval time="2019-08-01 14:13"]
| append  [| makeresults | eval field1=15 | eval field2=26 | eval field3=17 | eval field4=17 | eval time="2019-08-01 15:13"]
| append  [| makeresults | eval field1=26 | eval field2=13 | eval field3=25 | eval field4=26 | eval time="2019-08-01 16:13"]
| eval newfield1=field1+field2 | eval newfield2=field3+field4 | table time newfield1  newfield2</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
         <option name="charting.fieldColors">{"newfield1": 0x0583F2,"newfield2": 0x05DBF2}</option>
      </chart>
    </panel>
  </row>
</dashboard>
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi astatrial,
can you share something about your search?
Anyway If you have a limited range of values:

index=my index
| stats count(eval(field1)) AS field1 count(eval(field2)) AS field2 count(eval(field3)) AS field3 count(eval(field4)) AS field4

then you can assign colours following the hints of the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) "Table Formats":

<format type="color" field="field1">
  <colorPalette type="list">[#65A637,#65A637]</colorPalette>
  <scale type="threshold">0,100</scale>
</format>

Bye.
Giuseppe

0 Karma

niketn
Legend

@astatrial you would need to add a little bit more context to your question. Which is the correlation field for your above results which links field1 with field2 and field3 with field4. Unless you have that you can not create Stacked chart.

Following is a run anywhere example where I have used cat1 and cat2 as the correlation categories:

|  makeresults
|  fields - _time
|  eval data="cat1,field1=20;cat1,field2=10;cat2,field3=30;cat2,field4=15"
|  makemv data delim=";"
|  mvexpand data
|  makemv data delim=","
|  eval category=mvindex(data,0), _raw=mvindex(data,1)
|  fields - data
|  KV
|  fields - _raw
|  chart last(*) as * by category
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

astatrial
Contributor

That worked perfectly!
I was well aware of the correlation field but i didn't think about double make mv by two delimiters.

Also i wasn't aware of the KV command.
Can you tell me a little bit more about it ? I coudn't find any docs about it.

Any way i accepted the answer 🙂

0 Karma

niketn
Legend

makemv and mvexpand are only good for these run anywhere example. With your actual data if you are working with multi-valued fields you should re-think how and why you ended up with those and can you avoid them.

KV command and extract command allow you to extract fields from raw data 🙂 Again we use them mostly for Run anywhere examples as Splunk would perform field extractions on indexed data by default.

I myself learnt it on Splunk Answers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

astatrial
Contributor

I customized what you suggested to my data.

Thanks for everything !

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...