Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine values in Y axis of dashboard

ericSplunk
Engager
‎10-25-2023 11:29 AM

I created a dashboard with a query looks like this : 

index=cbclogs sourcetype = cbc_cc_performance source="/var/log/ccccenter/performancelog.log" Company IN ($company_filter$) LossType IN ($losstype_filter$) QuickClaimType IN ($QCT_filter$) |eval minsElapsed=round(secondsElapsed/60,0)| timechart median(minsElapsed) by LOB.

Suppose LOB has string values like :  "A", "B", "C", "D" ,"E","F","G" ,"H", currently , all values will be shown in the Y axis on the right side , how can I combine "A","B","C" as "A" , "D","E","F" as "E" and "G","H" as "G", so , the right side Y axis has only three values and won't affect the correctness of the dashboard. Actually , I am not sure whether should I call this right side colourful column Y axis.

ericSplunk_0-1698262572791.png

 

 

 

 

 

Thanks a lot !

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-27-2023 02:26 AM

In the original, you had 9 series and in the second, you have 5. Your aggregation is using median(minsElapsed) so it's quite possible that the media is going to be less than the 33 shown in the first graph.

In the first graph, you have the A* series for Oct 10 appear to be 33, 10 and maybe 6, so if you combine all the values for all of these events, the median is likely to be different as it's the median of all 3 sets of events rather than the median on the single LOB value.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎10-25-2023 11:52 AM

 

index=cbclogs sourcetype = cbc_cc_performance source="/var/log/ccccenter/performancelog.log" Company IN ($company_filter$) LossType IN ($losstype_filter$) QuickClaimType IN ($QCT_filter$)
| eval minsElapsed=round(secondsElapsed/60,0)
| eval LOB=case(in(LOB,"A","B","C"),"A",in(LOB,"D","E","F"),"E",in(LOB,"G","H","I"),"G")
| timechart median(minsElapsed) by LOB

That's a literal interpretation of your example, hopefully you can work it from there.

0 Karma
Reply
Solved! Jump to solution

ericSplunk
Engager
‎10-25-2023 12:32 PM

Thanks for your reply . 

I added this eval statement in to the search . The result is different . It is supposed to combine different LOBs results into one result . but the max value of the blue column at OCT 10 is a lot less then the green one 33 of the previous screenshot. The green column's value should be included in the blue column now. so  , the max should be the same.  No sure why the result is different now.

 

ericSplunk_0-1698262384725.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-27-2023 02:26 AM

In the original, you had 9 series and in the second, you have 5. Your aggregation is using median(minsElapsed) so it's quite possible that the media is going to be less than the 33 shown in the first graph.

In the first graph, you have the A* series for Oct 10 appear to be 33, 10 and maybe 6, so if you combine all the values for all of these events, the median is likely to be different as it's the median of all 3 sets of events rather than the median on the single LOB value.

 

0 Karma
Reply
Solved! Jump to solution

ericSplunk
Engager
‎10-27-2023 06:42 AM

Thanks for your answer with details. This makes sense to me now.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...