Splunk Search

How to change x-axis increments on a column chart?

brianlee12
Engager

I have a column chart with 4 bars, with the values 2, 10, 46, and 50. The spacing between these 4 bars are the same as Splunk treats the values as labels. I'd like to space the bars out proportional to their x-axis value, so the space between the 10 bar and 46 bar would be much greater than the spacing between 46 and 50, etc. Any help would be appreciated thanks 🙂

0 Karma
1 Solution

sundareshr
Legend

If you know the max value, you could try this

... | stats sum(uploadSize) as totalUploadSize sum(uploadDuration) as totalUploadDuration by deviceID | eval bandwidth= round((totalUploadSize)/(totalUploadDuration*0.001*131072),4) | table deviceID bandwidth | stats count by bandwidth | sort + bandwidth | append [ gentimes start=-1 | eval bandwidth=mvrange(0, maxvalue, .1) | mvexpand bandwidth | table bandwidth ] | stats values(count) as count by bandwidth

View solution in original post

0 Karma

sundareshr
Legend

If you know the max value, you could try this

... | stats sum(uploadSize) as totalUploadSize sum(uploadDuration) as totalUploadDuration by deviceID | eval bandwidth= round((totalUploadSize)/(totalUploadDuration*0.001*131072),4) | table deviceID bandwidth | stats count by bandwidth | sort + bandwidth | append [ gentimes start=-1 | eval bandwidth=mvrange(0, maxvalue, .1) | mvexpand bandwidth | table bandwidth ] | stats values(count) as count by bandwidth
0 Karma

sundareshr
Legend

If you don't know the max, try this...

... | stats sum(uploadSize) as totalUploadSize sum(uploadDuration) as totalUploadDuration by deviceID | eval bandwidth= round((totalUploadSize)/(totalUploadDuration*0.001*131072),4) | table deviceID bandwidth | stats count by bandwidth | sort + bandwidth | append [ search ... | stats sum(uploadSize) as totalUploadSize sum(uploadDuration) as totalUploadDuration by deviceID | eval bandwidth= round((totalUploadSize)/(totalUploadDuration*0.001*131072),4) | stats max(bandwidth) as maxvalue | eval bandwidth=mvrange(0, maxvalue, .1) | mvexpand bandwidth | table bandwidth ] | stats values(count) as count by bandwidth
0 Karma

brianlee12
Engager

your first post kind of worked, for some reason its going in order of the first digit so the 2.12 value is showing up after 10

alt text

0 Karma

brianlee12
Engager

fixed it by sorting it

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

 ... | stats sum(uploadSize) as totalUploadSize sum(uploadDuration) as totalUploadDuration by deviceID | eval bandwidth= round((totalUploadSize)/(totalUploadDuration*0.001*131072),4)  | stats count by bandwidth  | eval t=bandwidth | chart values(count) over bandwidth by t
0 Karma

brianlee12
Engager

The bars are being spaced out a lot but the spacing is still constant not proportional

alt text

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The column spacing is exactly same as value of "bandwidth"? Do you want it to be spaced out based of value of "count"? OR if you could post snapshot of your expected graph.

0 Karma

brianlee12
Engager

This is what I'm looking for

alt text

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

... | stats sum(uploadSize) as totalUploadSize sum(uploadDuration) as totalUploadDuration by deviceID | eval bandwidth= round((totalUploadSize)/(totalUploadDuration*0.001*131072),4)  | stats count by bandwidth  | eval _time=relative_time(now(),"@d") + bandwidth | timechart span=10s values(count)  by bandwidth | eval t=round(_time-relative_time(now(),"@d")) | fields - _time | table t *
0 Karma

brianlee12
Engager

This is the result

alt text

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Something is wrong (negative t shouldn't come) . This should give number of rows equal to max of bandwidth. Can you try this

... | stats sum(uploadSize) as totalUploadSize sum(uploadDuration) as totalUploadDuration by deviceID | eval bandwidth= round((totalUploadSize)/(totalUploadDuration*0.001*131072),4)  | stats count by bandwidth  | eval _time=relative_time(now(),"@d") + bandwidth | timechart span=10s values(count)  by bandwidth | eval t=round(_time-relative_time(now(),"@d")) | fields - _time | table t * |where  t>0
0 Karma

brianlee12
Engager

It says no results found when I do that

0 Karma

brianlee12
Engager

So are you trying to set the bandwidth as the time, that way I can use a timechart to display the information?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

To make x-axis markers to space out based on the x column value, I'm adding current day and then after chart substracting current day into the bandwidth. Thus there should never be a negative value for column t. Can you try this and if it doesn't work, provide the full search that you're using?

... | stats sum(uploadSize) as totalUploadSize sum(uploadDuration) as totalUploadDuration by deviceID | eval bandwidth= round((totalUploadSize)/(totalUploadDuration*0.001*131072),4)  | stats count by bandwidth | eval _time=bandwidth | timechart span=2 values(count)  by bandwidth | eval t=_time | fields - _time | table t *
0 Karma

brianlee12
Engager

This is very close. The bars are currently being squished to the left side

alt text

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you post the search OR the table of final values you've?

0 Karma

brianlee12
Engager

My search is:

... |   stats sum(uploadSize) as totalUploadSize sum(uploadDuration) as totalUploadDuration by deviceID |   eval bandwidth= round((totalUploadSize)/(totalUploadDuration*0.001*131072),4) |  table deviceID bandwidth | stats count by bandwidth | sort + bandwidth

currently it looks like

alt text

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...