Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine values in Y axis of dashboard

ericSplunk
Engager
‎10-25-2023 11:29 AM

I created a dashboard with a query looks like this : 

index=cbclogs sourcetype = cbc_cc_performance source="/var/log/ccccenter/performancelog.log" Company IN ($company_filter$) LossType IN ($losstype_filter$) QuickClaimType IN ($QCT_filter$) |eval minsElapsed=round(secondsElapsed/60,0)| timechart median(minsElapsed) by LOB.

Suppose LOB has string values like :  "A", "B", "C", "D" ,"E","F","G" ,"H", currently , all values will be shown in the Y axis on the right side , how can I combine "A","B","C" as "A" , "D","E","F" as "E" and "G","H" as "G", so , the right side Y axis has only three values and won't affect the correctness of the dashboard. Actually , I am not sure whether should I call this right side colourful column Y axis.

ericSplunk_0-1698262572791.png

 

 

 

 

 

Thanks a lot !

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-27-2023 02:26 AM

In the original, you had 9 series and in the second, you have 5. Your aggregation is using median(minsElapsed) so it's quite possible that the media is going to be less than the 33 shown in the first graph.

In the first graph, you have the A* series for Oct 10 appear to be 33, 10 and maybe 6, so if you combine all the values for all of these events, the median is likely to be different as it's the median of all 3 sets of events rather than the median on the single LOB value.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎10-25-2023 11:52 AM

 

index=cbclogs sourcetype = cbc_cc_performance source="/var/log/ccccenter/performancelog.log" Company IN ($company_filter$) LossType IN ($losstype_filter$) QuickClaimType IN ($QCT_filter$)
| eval minsElapsed=round(secondsElapsed/60,0)
| eval LOB=case(in(LOB,"A","B","C"),"A",in(LOB,"D","E","F"),"E",in(LOB,"G","H","I"),"G")
| timechart median(minsElapsed) by LOB

That's a literal interpretation of your example, hopefully you can work it from there.

0 Karma
Reply
Solved! Jump to solution

ericSplunk
Engager
‎10-25-2023 12:32 PM

Thanks for your reply . 

I added this eval statement in to the search . The result is different . It is supposed to combine different LOBs results into one result . but the max value of the blue column at OCT 10 is a lot less then the green one 33 of the previous screenshot. The green column's value should be included in the blue column now. so  , the max should be the same.  No sure why the result is different now.

 

ericSplunk_0-1698262384725.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-27-2023 02:26 AM

In the original, you had 9 series and in the second, you have 5. Your aggregation is using median(minsElapsed) so it's quite possible that the media is going to be less than the 33 shown in the first graph.

In the first graph, you have the A* series for Oct 10 appear to be 33, 10 and maybe 6, so if you combine all the values for all of these events, the median is likely to be different as it's the median of all 3 sets of events rather than the median on the single LOB value.

 

0 Karma
Reply
Solved! Jump to solution

ericSplunk
Engager
‎10-27-2023 06:42 AM

Thanks for your answer with details. This makes sense to me now.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...