Splunk Search

How do you dynamically change the legend labels

beaumaris
Communicator

We have some timecharts that display information collected by Server_IP, using searches similar to this

... | timechart sum(Bytes) by Server_IP 

The problem is the IP values are reasonably meaningless to the people using this chart, so we'd like to display the hostname of the server associated with the IP. We've looked at the "charting.legend.labels" property but that is a statically defined list of values, and depending on time range selection and other values the list of IPs being displayed will change, as will the order of the IPs. So we are looking for a way to do what amounts to a lookup of each IP into a table that returns the Hostname, and use the Hostname as the label displayed in the legend. Can this be done?

Tags (3)

gkanapathy
Splunk Employee
Splunk Employee

You can do either:

  • Perform the lookup before the aggregation (i.e., before timechart):

    ... | lookup iptoname Server_IP OUTPUT Server_Name | timechart sum(Bytes) by Server_Name
    
  • Use stats as the aggregator , and do it after stats

    ... | bucket _time | stats sum(Bytes) by _time Server_IP | lookup iptoname Server_IP OUTPUT Server_Name | xyseries _time Server_Name sum(Bytes)
    

since you can replicate timechart <function> by <field> using bucket _time | stats <function> by _time <field> | xyseries _time <field> <function>

jflomenberg
Splunk Employee
Splunk Employee

Are the host values not correct in the host field? Then it would just be

    ... | timechart sum(bytes) by host
0 Karma

jflomenberg
Splunk Employee
Splunk Employee

I see. Can you add the host name to the summary index? If not, you can do a lookup but you will first need to populate a csv file with the IP, hostname pairs. If you still have the raw data this should be straight forward to do with the outputcsv command. This approach has its limitations as it only works well when the IPs and hostnames are not terribly dynamic.

0 Karma

beaumaris
Communicator

The data must be collected by IP, which winds up in summary indexes in a field called "Server_IP". Therefore we are stuck with trying to transform the IP into the corresponding server name when displaying the legends.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...