Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can we get the scatter chart mentioned in http://www.splunk.com/view/SP-CAAACGB to work?

user21041983
Explorer
‎06-23-2015 05:13 AM

How can we get the scatter chart mentioned in the link http://www.splunk.com/view/SP-CAAACGB to work?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎06-23-2015 05:35 AM

Best way is to download "simple_xml_examples" app which has got a working version of "Scatter chart"

The core logic is something like below: 

  <chart>
    <title>HTTP 2xx Success Response</title>
    <searchPostProcess>| where (status) >= 200 and (status) < 300</searchPostProcess>
    <option name="charting.chart">scatter</option>
  </chart>

View solution in original post

Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎06-23-2015 05:35 AM

Best way is to download "simple_xml_examples" app which has got a working version of "Scatter chart"

The core logic is something like below: 

  <chart>
    <title>HTTP 2xx Success Response</title>
    <searchPostProcess>| where (status) >= 200 and (status) < 300</searchPostProcess>
    <option name="charting.chart">scatter</option>
  </chart>
Reply
Solved! Jump to solution

user21041983
Explorer
‎07-01-2015 01:21 AM

Can you guide me specifically to scatter/bubble examples that are plotted against time?

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎07-01-2015 02:30 AM

The sample in above app shows scatter plotted against time where time is "date_hour". You could change the X axis interval to "1" to have it on hourly basis. Also note, Splunk Scatter chart can have 1000 data points max.
index = _internal | stats count, mode(status) by method, status, date_hour | where (status) >= 200 and (status) < 300

The same goes for bubble chart as well is also shown with "date_hour" as X axis.
index = _internal sourcetype=splunkd_access | stats count sum(bytes) as "Total Bytes" by status, date_hour | table status date_hour count "Total Bytes"

There are some complicated examples to use _time, but it is much easier to use date_hour

0 Karma
Reply
Solved! Jump to solution

user21041983
Explorer
‎07-01-2015 02:58 AM

Thanks for the quick response. Howover, my use case requires the monthly/date context preserved. Finding it hard to crack! Did not find anything specific on the link provided. Is there something specific there you pointed out?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...