Splunk Search

How can I display my data in a bubble chart?

dannestor
Explorer

I am running the following search:

"authentication failed" | stats count by user, sourceip | sort -count | head 10

Which produces a table with three columns: user, sourceip and count, like so (scrubbed data):

alt text

I would like to display this in a bubble visualization, where the X and Y axes map to my users and sourceips, and the size of the bubble maps to the count. Is there any way to do this?

0 Karma

mporath_splunk
Splunk Employee
Splunk Employee

Bubble charts expect three dimensions.

  • The first one can be anything categorical. Something you can count. Think of it as "I want a bubble for each ...". In your example it's most likely your user
  • The second and third dimension need to be numerical so that they can be placed on the X and Y axes. clientip won't work for this.

Your it should work if you drop clientip and add two numerical dimensions to stats count. Try stats count by user, date_minute, date_second. Of course that chart is largely nonsensical, since these time dimensions likely don't carry much information.

dannestor
Explorer

I found some references about setting the X and Y axes to be categorical/discrete, instead of numeric/continuous (example: https://answers.splunk.com/answering/52635/view.html). Did I misunderstand the information there?

0 Karma

buraka
New Member

Hi dannestor, i am facing the same issue,were you able to solve the same ?

0 Karma

dannestor
Explorer

Hey, nope, sorry, I never followed-up on this.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...