Splunk Search

How can we get the scatter chart mentioned in http://www.splunk.com/view/SP-CAAACGB to work?

user21041983
Explorer

How can we get the scatter chart mentioned in the link http://www.splunk.com/view/SP-CAAACGB to work?

Tags (2)
0 Karma
1 Solution

koshyk
Super Champion

Best way is to download "simple_xml_examples" app which has got a working version of "Scatter chart"

The core logic is something like below:

  <chart>
    <title>HTTP 2xx Success Response</title>
    <searchPostProcess>| where (status) >= 200 and (status) < 300</searchPostProcess>
    <option name="charting.chart">scatter</option>
  </chart>

View solution in original post

koshyk
Super Champion

Best way is to download "simple_xml_examples" app which has got a working version of "Scatter chart"

The core logic is something like below:

  <chart>
    <title>HTTP 2xx Success Response</title>
    <searchPostProcess>| where (status) >= 200 and (status) < 300</searchPostProcess>
    <option name="charting.chart">scatter</option>
  </chart>

user21041983
Explorer

Can you guide me specifically to scatter/bubble examples that are plotted against time?

0 Karma

koshyk
Super Champion

The sample in above app shows scatter plotted against time where time is "date_hour". You could change the X axis interval to "1" to have it on hourly basis. Also note, Splunk Scatter chart can have 1000 data points max.
index = _internal | stats count, mode(status) by method, status, date_hour | where (status) >= 200 and (status) < 300

The same goes for bubble chart as well is also shown with "date_hour" as X axis.
index = _internal sourcetype=splunkd_access | stats count sum(bytes) as "Total Bytes" by status, date_hour | table status date_hour count "Total Bytes"

There are some complicated examples to use _time, but it is much easier to use date_hour

0 Karma

user21041983
Explorer

Thanks for the quick response. Howover, my use case requires the monthly/date context preserved. Finding it hard to crack! Did not find anything specific on the link provided. Is there something specific there you pointed out?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...