Splunk Search

How do I display the content from my search results table in a scatter or D3 chart?

rajgowd1
Communicator

Hi,

I have a search which displays content in a table format. Here is the search and I would like to show them in scatter chart or in D3.
alt text

index=myindex  mess_type=OUT origin=* org_name=* env=* (app_name=cap-demo-test OR app_name=nem-cap-bat OR app_name=nem-cap-pag) | eval newmsg="UPDATE" | rex field=fullmsg "(?CRASHED|STARTED|STOPPED)" | table app_name, time, source_instance, newmsg | sort app_name, time, source_instance, newmsg
0 Karma
1 Solution

dbcase
Motivator

Hmmmm well a couple of thoughts

Have you tried formatting the timechart as a multi-series? This way each series is on a chart of it's own. Might be easier to understand that way.

Another option would be to try a Horizon Chart (its a Splunkbase add on - https://splunkbase.splunk.com/app/3117/)

What is it in particular that the manager doesn't understand?

View solution in original post

dbcase
Motivator

Hmmmm well a couple of thoughts

Have you tried formatting the timechart as a multi-series? This way each series is on a chart of it's own. Might be easier to understand that way.

Another option would be to try a Horizon Chart (its a Splunkbase add on - https://splunkbase.splunk.com/app/3117/)

What is it in particular that the manager doesn't understand?

rajgowd1
Communicator

HI,thanks for your response.
i tried multi-series.its better now.

and i tried Horizon chart but they were using search something like timechart useother="f" span=1d limit=10 latest(open) by ticker_symbol

but i am not sure how can i write my query to fit into horizon chart.

0 Karma

dbcase
Motivator

Yea that is one limitation of the Horizon chart, it will only graph 10 Y axis values.

Glad to hear multi-series helped!!!

0 Karma

rajgowd1
Communicator

thank you.i do not see accept button.
where can i accept this answer?

0 Karma

dbcase
Motivator

Just converted it to an answer

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi rajgowd1,
the best way to do what you want is to download and install the Splunk 6.x dashboard Examples App (https://splunkbase.splunk.com/app/1603/), in which is fully described with an example how to create a scatter chart.
Bye.
Giuseppe

0 Karma

rajgowd1
Communicator

Hi,
i gone through the dashboard examples but it does'not have the chart like i mentioned in my question.

is there a way we can show time in x-axis and state in y-axis?

0 Karma

dbcase
Motivator

Would using timechart work?

0 Karma

rajgowd1
Communicator

HI,
here is the data i am displaying in table format.i can use timechart but it is not giving all below 4 fields in chart(any) format.

can we represent below table in any kind of chart?

app_name time source_instance newmsg
ccp-demo-test 2016-12-24T22:33:17Z 1 STOPPED
ccp-demo-test 2016-12-24T22:33:18Z 0 STARTED
ccp-demo-test 2016-12-25T17:48:03Z 1 STOPPED
ccp-demo-test 2016-12-25T17:48:04Z 2 STARTED
ccp-demo-test 2016-12-27T16:19:07Z 2 STOPPED

0 Karma

dbcase
Motivator

What if you concatenated the four fields (or a subset)?

i.e.

eval variable1=field1." - ".field2

and then used variable1 as the group by with the timechart

i.e.

your search | timechart count by variable1

Would something like that work?

0 Karma

rajgowd1
Communicator

HI,
it works and i understand but higher manager doesn't understand this representation.

is there any alternate way to represent

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...