Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can we get the scatter chart mentioned in http://www.splunk.com/view/SP-CAAACGB to work?

user21041983
Explorer
‎06-23-2015 05:13 AM

How can we get the scatter chart mentioned in the link http://www.splunk.com/view/SP-CAAACGB to work?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎06-23-2015 05:35 AM

Best way is to download "simple_xml_examples" app which has got a working version of "Scatter chart"

The core logic is something like below: 

  <chart>
    <title>HTTP 2xx Success Response</title>
    <searchPostProcess>| where (status) >= 200 and (status) < 300</searchPostProcess>
    <option name="charting.chart">scatter</option>
  </chart>

View solution in original post

Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎06-23-2015 05:35 AM

Best way is to download "simple_xml_examples" app which has got a working version of "Scatter chart"

The core logic is something like below: 

  <chart>
    <title>HTTP 2xx Success Response</title>
    <searchPostProcess>| where (status) >= 200 and (status) < 300</searchPostProcess>
    <option name="charting.chart">scatter</option>
  </chart>
Reply
Solved! Jump to solution

user21041983
Explorer
‎07-01-2015 01:21 AM

Can you guide me specifically to scatter/bubble examples that are plotted against time?

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎07-01-2015 02:30 AM

The sample in above app shows scatter plotted against time where time is "date_hour". You could change the X axis interval to "1" to have it on hourly basis. Also note, Splunk Scatter chart can have 1000 data points max.
index = _internal | stats count, mode(status) by method, status, date_hour | where (status) >= 200 and (status) < 300

The same goes for bubble chart as well is also shown with "date_hour" as X axis.
index = _internal sourcetype=splunkd_access | stats count sum(bytes) as "Total Bytes" by status, date_hour | table status date_hour count "Total Bytes"

There are some complicated examples to use _time, but it is much easier to use date_hour

0 Karma
Reply
Solved! Jump to solution

user21041983
Explorer
‎07-01-2015 02:58 AM

Thanks for the quick response. Howover, my use case requires the monthly/date context preserved. Finding it hard to crack! Did not find anything specific on the link provided. Is there something specific there you pointed out?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...