Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to achieve a non numeric scatter plot on x and y?

keithdriver
New Member
‎04-15-2020 07:19 AM

Hi,

I have two text columns finding_id and device manufacturer, and a count of events containing both.

I'd like a scatter chart of device.manufacturer on the y-axis, and finding_id on the x-axis, but everything seems to revert to a numerical axis?

Am I missing something?

The below is from the stats page:

count   finding_id  device.manufacturer
9       V-3086      Cisco
9       V-3034      Cisco
9       V-14717    Cisco
9       V-14667    Cisco
8       V-5618      Cisco
0 Karma
Reply

to4kawa
Ultra Champion
‎04-15-2020 01:50 PM 
| makeresults
| eval _raw="device.manufacturer,NSA-AUTH-025,NSA-FLTR-020,V-14667,V-14707
3COM,1,1,1,1
Brocade,0,5,0,0
Check Point,0,0,3,0
Cisco,4,1,9,8
HP,0,1,1,1
Huawei,3,0,1,1
Juniper,2,2,2,1
Palo Alto,1,2,2,0
WatchGuard,0,0,1,0"
| multikv forceheader=1
| fields - _* linecount
| table device_manufacturer,NSA_AUTH_025,NSA_FLTR_020,V_14667,V_14707
| eval test=mvrange(0,2)
| mvexpand test
| streamstats count
| eval device_manufacturer=if(count % 2 = 0 , null(), device_manufacturer)
| foreach * [ eval <<FIELD>> = if(isnull(device_manufacturer),NULL,'<<FIELD>>')]
| fields - test count

I use trick.
try Viz>>Area Chart with Format Null Values=Gap

Area Chart

ans.png
Preview file
110 KB
0 Karma
Reply

DalJeanis
Legend
‎04-15-2020 08:13 AM

Just use the chart command.

| chart count by finding_id device.manufacturer

Flip the order of the by fields if you want them the other way.

0 Karma
Reply

keithdriver
New Member
‎04-15-2020 09:17 AM

Thanks. Unfortunately that didnt work.

My query is now

| chart count by finding_id ,device.manufacturer

Statistics tab now shows the below, but the scatter plot X and Y axis labels are NSA-FLTR-20 and V-14707, and each axis is still numerical

What I'd like is that the Y axis is a list of all devices, the X axis is a list of all findings, and the scatter plot shows counts at the intersection of the two

device.manufacturer NSA-AUTH-025 NSA-FLTR-020 V-14667 V-14707
3COM 1 1 1 1
Brocade 0 5 0 0
Check Point 0 0 3 0
Cisco 4 1 9 8
HP 0 1 1 1
Huawei 3 0 1 1
Juniper 2 2 2 1
Palo Alto 1 2 2 0
WatchGuard 0 0 1 0

But scatter chart is still using

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...

The Visibility Gap: Hybrid Networks and IT Services

The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...
li.common.scroll-to.top