Splunk Search

How can I display my data in a bubble chart?

Explorer

I am running the following search:

"authentication failed" | stats count by user, sourceip | sort -count | head 10

Which produces a table with three columns: user, sourceip and count, like so (scrubbed data):

alt text

I would like to display this in a bubble visualization, where the X and Y axes map to my users and sourceips, and the size of the bubble maps to the count. Is there any way to do this?

0 Karma

Splunk Employee
Splunk Employee

Bubble charts expect three dimensions.

  • The first one can be anything categorical. Something you can count. Think of it as "I want a bubble for each ...". In your example it's most likely your user
  • The second and third dimension need to be numerical so that they can be placed on the X and Y axes. clientip won't work for this.

Your it should work if you drop clientip and add two numerical dimensions to stats count. Try stats count by user, date_minute, date_second. Of course that chart is largely nonsensical, since these time dimensions likely don't carry much information.

Explorer

I found some references about setting the X and Y axes to be categorical/discrete, instead of numeric/continuous (example: https://answers.splunk.com/answering/52635/view.html). Did I misunderstand the information there?

0 Karma

New Member

Hi dannestor, i am facing the same issue,were you able to solve the same ?

0 Karma

Explorer

Hey, nope, sorry, I never followed-up on this.

0 Karma