Splunk Search

How can we get the scatter chart mentioned in http://www.splunk.com/view/SP-CAAACGB to work?

Explorer

How can we get the scatter chart mentioned in the link http://www.splunk.com/view/SP-CAAACGB to work?

Tags (2)
0 Karma
Highlighted

Re: How can we get the scatter chart mentioned in http://www.splunk.com/view/SP-CAAACGB to work?

Super Champion

Best way is to download "simplexmlexamples" app which has got a working version of "Scatter chart"

The core logic is something like below:

  <chart>
    <title>HTTP 2xx Success Response</title>
    <searchPostProcess>| where (status) >= 200 and (status) < 300</searchPostProcess>
    <option name="charting.chart">scatter</option>
  </chart>

View solution in original post

Highlighted

Re: How can we get the scatter chart mentioned in http://www.splunk.com/view/SP-CAAACGB to work?

Explorer

Can you guide me specifically to scatter/bubble examples that are plotted against time?

0 Karma
Highlighted

Re: How can we get the scatter chart mentioned in http://www.splunk.com/view/SP-CAAACGB to work?

Super Champion

The sample in above app shows scatter plotted against time where time is "datehour". You could change the X axis interval to "1" to have it on hourly basis. Also note, Splunk Scatter chart can have 1000 data points max.
index = _internal | stats count, mode(status) by method, status, date
hour | where (status) >= 200 and (status) < 300

The same goes for bubble chart as well is also shown with "datehour" as X axis.
index = _internal sourcetype=splunkd
access | stats count sum(bytes) as "Total Bytes" by status, datehour | table status datehour count "Total Bytes"

There are some complicated examples to use _time, but it is much easier to use date_hour

0 Karma
Highlighted

Re: How can we get the scatter chart mentioned in http://www.splunk.com/view/SP-CAAACGB to work?

Explorer

Thanks for the quick response. Howover, my use case requires the monthly/date context preserved. Finding it hard to crack! Did not find anything specific on the link provided. Is there something specific there you pointed out?

0 Karma