Splunk Search
Highlighted

How to achieve a non numeric scatter plot on x and y?

New Member

Hi,

I have two text columns finding_id and device manufacturer, and a count of events containing both.

I'd like a scatter chart of device.manufacturer on the y-axis, and finding_id on the x-axis, but everything seems to revert to a numerical axis?

Am I missing something?

The below is from the stats page:

count   finding_id  device.manufacturer
9       V-3086      Cisco
9       V-3034      Cisco
9       V-14717    Cisco
9       V-14667    Cisco
8       V-5618      Cisco
0 Karma
Highlighted

Re: How to achieve a non numeric scatter plot on x and y?

SplunkTrust
SplunkTrust

Just use the chart command.

| chart count by finding_id device.manufacturer 

Flip the order of the by fields if you want them the other way.

0 Karma
Highlighted

Re: How to achieve a non numeric scatter plot on x and y?

New Member

Thanks. Unfortunately that didnt work.

My query is now

| chart count by finding_id ,device.manufacturer

Statistics tab now shows the below, but the scatter plot X and Y axis labels are NSA-FLTR-20 and V-14707, and each axis is still numerical

What I'd like is that the Y axis is a list of all devices, the X axis is a list of all findings, and the scatter plot shows counts at the intersection of the two

device.manufacturer NSA-AUTH-025 NSA-FLTR-020 V-14667 V-14707
3COM 1 1 1 1
Brocade 0 5 0 0
Check Point 0 0 3 0
Cisco 4 1 9 8
HP 0 1 1 1
Huawei 3 0 1 1
Juniper 2 2 2 1
Palo Alto 1 2 2 0
WatchGuard 0 0 1 0

But scatter chart is still using

0 Karma
Highlighted

Re: How to achieve a non numeric scatter plot on x and y?

Ultra Champion
| makeresults
| eval _raw="device.manufacturer,NSA-AUTH-025,NSA-FLTR-020,V-14667,V-14707
3COM,1,1,1,1
Brocade,0,5,0,0
Check Point,0,0,3,0
Cisco,4,1,9,8
HP,0,1,1,1
Huawei,3,0,1,1
Juniper,2,2,2,1
Palo Alto,1,2,2,0
WatchGuard,0,0,1,0"
| multikv forceheader=1
| fields - _* linecount
| table device_manufacturer,NSA_AUTH_025,NSA_FLTR_020,V_14667,V_14707
| eval test=mvrange(0,2)
| mvexpand test
| streamstats count
| eval device_manufacturer=if(count % 2 = 0 , null(), device_manufacturer)
| foreach * [ eval <<FIELD>> = if(isnull(device_manufacturer),NULL,'<<FIELD>>')]
| fields - test count

I use trick.
try Viz>>Area Chart with Format Null Values=Gap

Area Chart

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.