Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to display column chart based on events co...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to display column chart based on events count and display events size in bytes, KB, MB, and GB?
rajgowd1
Communicator
02-08-2017
10:46 AM
Hi,
i would like to display column chart based on events count and display events size in bytes,KB,MB and GB
if events<1000 ---> display count and size in bytes
if events between 1000 to 10000 ---> display count and size in KB
if events between 10000 to 100000 ----> display count and size in MB
if events between >100000 ----> display count and size in GB
currently i am using below search to get count and size in KB's
index=myindex |eval esize=len(_raw) |timechart span=1m count as Count, sum(esize) as "EventsSize" | eval kb=EventsSize/1024 | fields - EventsSize
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbcase
Motivator
02-21-2017
12:02 PM
You can also put each value on a separate axis or use a horizon chart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
02-21-2017
11:56 AM
The best way to handle this is to edit your visualization, click on the Format (the pen/paintbrush icon), click on the Y-Axis tab, then the Log button in the Scale control. This will ensure that the smaller amounts on the view are not dwarfed to a flat line by the bigger values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-08-2017
12:39 PM
If you change the scale (by converting bytes to kb/mb/gb), the size of columns would not look realistic. (e.g. 900 bytes would be much higher than 55 kb, but in reality 55kb is bigger).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rajgowd1
Communicator
02-08-2017
12:53 PM
hi,
thank you.
when i was trying to display events for timerange 2 hours
if i have a events count like 100000 and if i count the sum of these events in bytes,size is coming as a big number,when i display events count and size in column chart,i always see size chart because event size is big.
so i was thinking based on events count,may be we can display size of total events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-08-2017
12:57 PM
In that case, you should use chart overlay feature so that you can show two series (event count and event size) in single graph but both can use separate y-axis. See this for more information on the same.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
