Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use stats or chart by multiple columns while using visualizations?

AK89
Explorer
‎07-28-2022 06:08 PM

Here is the sample data set:

ENTITY_NAME REPLICATION_OF VALUE
server1 BackupA 59
server2 BackupB 28
server3 backup_noenc_h1 54
server3 backup_utility_h1 96
server4 backup_noenc_h2 40
server4 backup_utility_h2 700

 

I want to be able to use the number display visualization to display entity_name, replication_of, and latest value for each record. I've tried these:

| stats latest(VALUE) by REPLICATION_OF ENTITY_NAME
| chart latest(VALUE) by REPLICATION_OF ENTITY_NAME
| chart latest(VALUE) over REPLICATION_OF by ENTITY_NAME

Ultimately I want something that looks like this, but not sure if you can display three data series in a number display. If this isn't possible, what would be the best way to visualize a data set like this?

AK89_0-1659056729061.png

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎07-28-2022 08:55 PM

Screen Shot 2022-07-28 at 8.53.35 PM.pngIf the main consideration is display, I have this really silly trick:

 

| eval label = REPLICATION_OF . " - " . ENTITY_NAME
| stats latest(VALUE) by label

 

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎07-28-2022 08:55 PM

Screen Shot 2022-07-28 at 8.53.35 PM.pngIf the main consideration is display, I have this really silly trick:

 

| eval label = REPLICATION_OF . " - " . ENTITY_NAME
| stats latest(VALUE) by label

 

Reply
Solved! Jump to solution

AK89
Explorer
‎07-29-2022 05:28 AM

This worked great for my number display, but I can't seem to get it to work on the radial gauges like your screenshot. Did you have to do something else to get it to populate multiple gauges? 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-29-2022 09:27 PM

I'm not aware of any special setting.  I'm using a 9.0.0 installation.  After the stats, Splunk visualization automatically selected "Radial Gauge".  All I did is select trellis.

Screen Shot 2022-07-29 at 9.17.27 PM.png

By default, radial gauge uses the "shiny" skin; another skin (style) is "minimal", like this

Screen Shot 2022-07-29 at 9.15.35 PM.png

0 Karma
Reply
Solved! Jump to solution

AK89
Explorer
‎07-29-2022 04:53 AM

I thought of trying something like that last night (combining the values into one field) but couldn't get it to work. Thanks a lot, this accomplishes what I was looking for!

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...