Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

FEATURE REQUEST: Trellis timechart with color by field

bandit
Motivator
‎11-06-2017 06:29 PM

Ok, I've figured this out for pie charts, but it seems I'm not able to do this for timecharts in trellis? I'd like to color by a field (result). Here's sample query that's working for a pie chart. In the queries below, I want to color by result. (ok, error, or timeout)

This one works nicely since I can split the trellis by title and then color by result 🙂
pie chart search:

index=preview sourcetype=website_input
| rex field=source "web_input://(?<title>.+)"
| fillnull value=timeout result
| chart count by  title result

I can't use the timechart command since it only allows one split by clause 😞 otherwise this would be trivial to do.
search:

index=preview sourcetype=website_input
| rex field=source "web_input://(?<title>.+)"
| fillnull value=timeout result
| timechart count by result

ok, let's try stats. Then we can split the trellis by title and then color by result. Nope 😞 doesn't render
search:

index=preview sourcetype=website_input
| rex field=source "web_input://(?<title>.+)"
| fillnull value=timeout result
| bucket _time span=5m
| stats count by _time result title

alt text

alt text

Preview file
1 KB
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

MattZerfas
Communicator
‎11-07-2017 01:25 PM

I think something like this should get you what you want hopefully.

index=_internal status=* sourcetype=splunk_web_access user!="-" 
| eval type=case(status="200","good",status="404","bad",1=1,"other") 
| timechart span=1h limit=10 useother=f  c(eval(type="good")) as good c(eval(type="bad")) as bad c(eval(type="other")) as other  by user

You should be able to run that on your instance.You should be able to trellis by user and each user will show good/bad/other items on their own timechart.

View solution in original post

Reply
Solved! Jump to solution
Solution

MattZerfas
Communicator
‎11-07-2017 01:25 PM

I think something like this should get you what you want hopefully.

index=_internal status=* sourcetype=splunk_web_access user!="-" 
| eval type=case(status="200","good",status="404","bad",1=1,"other") 
| timechart span=1h limit=10 useother=f  c(eval(type="good")) as good c(eval(type="bad")) as bad c(eval(type="other")) as other  by user

You should be able to run that on your instance.You should be able to trellis by user and each user will show good/bad/other items on their own timechart.

Reply
Solved! Jump to solution

bandit
Motivator
‎11-07-2017 12:49 PM

@MattZerfas came up with this great workaround. I'm still hoping they will come out with an easy version at some point so we won't have to hard code the fields, but this will definitely work for the dashboards where I have a very static values for these fields.

and my updated query:

index=preview sourcetype=website_input
| rex field=source "web_input://(?<title>.+)"
| fillnull value=timeout result
| timechart partial=f span=5m limit=10 useother=f c(eval(result="ok")) as ok c(eval(result="timeout")) as timeout c(eval(result="error")) as error by title
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-06-2017 07:22 PM

@Rob_Jordan, the basic difference between pie chart and timechart is that while pie chart has two series result and title, timechart already has an additional field _time besides result and title. Which implies when you split Timechart for Trellis (one split is _time), you can either use result or title but not both.

You can change the Trellis Split By option as title or result

    <option name="trellis.enabled">1</option>
    <option name="trellis.scales.shared">0</option>
    <option name="trellis.size">small</option>
    <option name="trellis.splitBy">title</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

bandit
Motivator
‎11-06-2017 08:39 PM

Right, so when I use trellis with a timechart, I essentially lose my split-by clause that's that's normally available to use for coloring my timechart. I'm just thinking that it was a missed opportunity for the initial trellis release and will hopefully be in the next version.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-06-2017 10:49 PM

Sure who would not love that :). But I feel it would be complete change from Trellis based on x and y series to x, y and z series.

I was able to split by either title or result but obviously not both because there is already a depiction of _time. I am not sure whether you were able to do the same or not.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

bandit
Motivator
‎11-07-2017 07:27 AM

I get that it doesn't do that today, hence my title of FEATURE REQUEST, however, I feel you should be able to do this even if it's with the chart or stats lead-in commands instead of a timechart command. I also feel it closely aligns with the Trellis use case to save both time and search resources on dashboard creation.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...