How to edit my search to create a bubble chart wit...

andyp54 · ‎02-06-2017

I have a search that returns me 3 fields (let's say country, _time, count)

I want to show these results in a bubble chart but the X axis (_time) instead of returning dates, it returns 0, 1, 2, 3 etc - it's as if instead of taking the actual date it is taking the line number where the _time field is populated and using that.

I've been playing with date formats and other options but it makes no difference.

Hopefully one of you Splunk gurus can put me out of my misery and let me know what I'm doing wrong!

paulstout · ‎06-07-2017

If you add an ID to the panel "bubblechart", then add this as a script to the dashboard, it'll re-write the epoch time strings to a date format. Verified working on Splunk 6.4.4.

require(['jquery', 'splunkjs/mvc/simplexml/ready!'], function($) {
        setTimeout(function(){
                $('#bubblechart').find('.highcharts-xaxis-labels').children('text').each(function(){
                        var epochtime = parseInt($(this).html().replace(/\,/g,''),10);
                        var objDate = new Date(epochtime*1000);
                        $(this).html(objDate.toLocaleDateString('en-US'));
                });
        }, 1000);
});

DalJeanis · ‎02-06-2017

Use bin to turn the _time field into dates/days.

| bin _time as MyDate span=1d
| table country, MyDate, count

Sounds like currently it's presenting as minutes or something.

andyp54 · ‎02-06-2017

Hi DalJeanis - this gets me a bit closer; my _time Axis (now MyDate) now shows epoch time

...the only problem is if I use a convert or eval time=strftime to make the date more readable the info is no longer passed to the chart.

The date is showing correctly in the data under the chart but if I hover over a bubble inside the chart MyDate shows as 0

DalJeanis · ‎02-06-2017

what happens if you do this?

 | bin _time span=1d
 | table country, _time, count

andyp54 · ‎02-07-2017

If I change it then it puts me back to my X axis showing 1, 2, 3 , 4 rather than epoch time....

andyp54 · ‎02-07-2017

I'm going to assume it's got something to do with the bubble chart needing a stats command to generate the fields it uses.....that must mess up whatever exists in the _time field so it doesn't display. I'll play some more but this may be one of those "you can't do it" moments....

gcusello · ‎02-06-2017

Hi andyp54,
if you see in the Dashboard example Bubblechart (see https://splunkbase.splunk.com/app/1603/) with the bubblechart graph you can use only two parameters (your have three: country, _time, EventCode!).
Bye.
Giuseppe

DalJeanis · ‎02-06-2017

Actually, by definition of a bubble chart, it's three - X value, Y value, and size of the bubble. The splunk bubble chart also allows a fourth, using a different color for different series.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/BubbleChart

andyp54 · ‎02-06-2017

index=?? sourcetype=?? country=* | bucket  _time span=1d | stats count by country, _time, EventCode (span of 30 days)

replaced my real index & sourcetype with ?? above but the query works in real life.

I get a nice stats page with results grouped by day but my over in visualizations > bubble chart my X axis (_time) goes from 0 - 58)

Thanks Giuseppe!

gcusello · ‎02-06-2017

Can you share your search?
Bye.
Giuseppe

How to edit my search to create a bubble chart with dates shown on X axis?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...