Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I display my data in a bubble chart?

dannestor
Explorer
‎11-16-2015 07:48 AM

I am running the following search:

"authentication failed" | stats count by user, sourceip | sort -count | head 10

Which produces a table with three columns: user, sourceip and count, like so (scrubbed data):

alt text

I would like to display this in a bubble visualization, where the X and Y axes map to my users and sourceips, and the size of the bubble maps to the count. Is there any way to do this?

Preview file
1 KB
0 Karma
Reply

mporath_splunk
Splunk Employee
Splunk Employee
‎11-16-2015 10:19 AM

Bubble charts expect three dimensions.

  • The first one can be anything categorical. Something you can count. Think of it as "I want a bubble for each ...". In your example it's most likely your user
  • The second and third dimension need to be numerical so that they can be placed on the X and Y axes. clientip won't work for this.

Your it should work if you drop clientip and add two numerical dimensions to stats count. Try stats count by user, date_minute, date_second. Of course that chart is largely nonsensical, since these time dimensions likely don't carry much information.

Reply

dannestor
Explorer
‎11-16-2015 11:35 AM

I found some references about setting the X and Y axes to be categorical/discrete, instead of numeric/continuous (example: https://answers.splunk.com/answering/52635/view.html). Did I misunderstand the information there?

0 Karma
Reply

buraka
New Member
‎04-09-2018 02:59 AM

Hi dannestor, i am facing the same issue,were you able to solve the same ?

0 Karma
Reply

dannestor
Explorer
‎04-09-2018 03:22 AM

Hey, nope, sorry, I never followed-up on this.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...