How can I display my data in a bubble chart?

dannestor · ‎11-16-2015

I am running the following search:

"authentication failed" | stats count by user, sourceip | sort -count | head 10

Which produces a table with three columns: user, sourceip and count, like so (scrubbed data):

I would like to display this in a bubble visualization, where the X and Y axes map to my users and sourceips, and the size of the bubble maps to the count. Is there any way to do this?

mporath_splunk · ‎11-16-2015

Bubble charts expect three dimensions.

The first one can be anything categorical. Something you can count. Think of it as "I want a bubble for each ...". In your example it's most likely your user
The second and third dimension need to be numerical so that they can be placed on the X and Y axes. clientip won't work for this.

Your it should work if you drop clientip and add two numerical dimensions to stats count. Try stats count by user, date_minute, date_second. Of course that chart is largely nonsensical, since these time dimensions likely don't carry much information.

dannestor · ‎11-16-2015

I found some references about setting the X and Y axes to be categorical/discrete, instead of numeric/continuous (example: https://answers.splunk.com/answering/52635/view.html). Did I misunderstand the information there?

buraka · ‎04-09-2018

Hi dannestor, i am facing the same issue,were you able to solve the same ?

dannestor · ‎04-09-2018

Hey, nope, sorry, I never followed-up on this.

How can I display my data in a bubble chart?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!