Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I display the content from my search results table in a scatter or D3 chart?

rajgowd1
Communicator
‎01-03-2017 07:06 AM

Hi,

I have a search which displays content in a table format. Here is the search and I would like to show them in scatter chart or in D3.
alt text

index=myindex  mess_type=OUT origin=* org_name=* env=* (app_name=cap-demo-test OR app_name=nem-cap-bat OR app_name=nem-cap-pag) | eval newmsg="UPDATE" | rex field=fullmsg "(?CRASHED|STARTED|STOPPED)" | table app_name, time, source_instance, newmsg | sort app_name, time, source_instance, newmsg
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dbcase
Motivator
‎01-03-2017 10:23 AM

Hmmmm well a couple of thoughts

Have you tried formatting the timechart as a multi-series? This way each series is on a chart of it's own. Might be easier to understand that way.

Another option would be to try a Horizon Chart (its a Splunkbase add on - https://splunkbase.splunk.com/app/3117/)

What is it in particular that the manager doesn't understand?

View solution in original post

Reply
Solved! Jump to solution
Solution

dbcase
Motivator
‎01-03-2017 10:23 AM

Hmmmm well a couple of thoughts

Have you tried formatting the timechart as a multi-series? This way each series is on a chart of it's own. Might be easier to understand that way.

Another option would be to try a Horizon Chart (its a Splunkbase add on - https://splunkbase.splunk.com/app/3117/)

What is it in particular that the manager doesn't understand?

Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-03-2017 11:12 AM

HI,thanks for your response.
i tried multi-series.its better now.

and i tried Horizon chart but they were using search something like timechart useother="f" span=1d limit=10 latest(open) by ticker_symbol

but i am not sure how can i write my query to fit into horizon chart.

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎01-03-2017 12:09 PM

Yea that is one limitation of the Horizon chart, it will only graph 10 Y axis values.

Glad to hear multi-series helped!!!

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-03-2017 12:14 PM

thank you.i do not see accept button.
where can i accept this answer?

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎01-03-2017 12:22 PM

Just converted it to an answer

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-03-2017 07:21 AM

Hi rajgowd1,
the best way to do what you want is to download and install the Splunk 6.x dashboard Examples App (https://splunkbase.splunk.com/app/1603/), in which is fully described with an example how to create a scatter chart.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-03-2017 07:26 AM

Hi,
i gone through the dashboard examples but it does'not have the chart like i mentioned in my question.

is there a way we can show time in x-axis and state in y-axis?

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎01-03-2017 08:59 AM

Would using timechart work?

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-03-2017 09:06 AM

HI,
here is the data i am displaying in table format.i can use timechart but it is not giving all below 4 fields in chart(any) format.

can we represent below table in any kind of chart?

app_name time source_instance newmsg
ccp-demo-test 2016-12-24T22:33:17Z 1 STOPPED
ccp-demo-test 2016-12-24T22:33:18Z 0 STARTED
ccp-demo-test 2016-12-25T17:48:03Z 1 STOPPED
ccp-demo-test 2016-12-25T17:48:04Z 2 STARTED
ccp-demo-test 2016-12-27T16:19:07Z 2 STOPPED

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎01-03-2017 09:24 AM

What if you concatenated the four fields (or a subset)?

i.e.

eval variable1=field1." - ".field2

and then used variable1 as the group by with the timechart

i.e.

your search | timechart count by variable1

Would something like that work?

0 Karma
Reply
Solved! Jump to solution

rajgowd1
Communicator
‎01-03-2017 10:10 AM

HI,
it works and i understand but higher manager doesn't understand this representation.

is there any alternate way to represent

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...