- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to display column chart based on events count ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to display column chart based on events count and display events size in bytes, KB, MB, and GB?
Hi,
i would like to display column chart based on events count and display events size in bytes,KB,MB and GB
if events<1000 ---> display count and size in bytes
if events between 1000 to 10000 ---> display count and size in KB
if events between 10000 to 100000 ----> display count and size in MB
if events between >100000 ----> display count and size in GB
currently i am using below search to get count and size in KB's
index=myindex |eval esize=len(_raw) |timechart span=1m count as Count, sum(esize) as "EventsSize" | eval kb=EventsSize/1024 | fields - EventsSize
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also put each value on a separate axis or use a horizon chart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The best way to handle this is to edit your visualization, click on the Format (the pen/paintbrush icon), click on the Y-Axis tab, then the Log button in the Scale control. This will ensure that the smaller amounts on the view are not dwarfed to a flat line by the bigger values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you change the scale (by converting bytes to kb/mb/gb), the size of columns would not look realistic. (e.g. 900 bytes would be much higher than 55 kb, but in reality 55kb is bigger).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
thank you.
when i was trying to display events for timerange 2 hours
if i have a events count like 100000 and if i count the sum of these events in bytes,size is coming as a big number,when i display events count and size in column chart,i always see size chart because event size is big.
so i was thinking based on events count,may be we can display size of total events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case, you should use chart overlay feature so that you can show two series (event count and event size) in single graph but both can use separate y-axis. See this for more information on the same.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
