Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Limiting high numbers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have a timechart with integers, every minutes. Normaly, the value of the integers are between 1 and 120.
Sometimes it happens that a value can be over 500. In this case of failure, I would like to set the high value to 120 and would like to highlight it in a different color.
Is this possible with splunk with the default search tools?
Thanks for your tips
Rob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn't appear that you can control the color of the resulting chart using just the search language - you'll have to create a dashboard panel to do that. However, here's how you can get the chart you want:
...your timechart search...
| eval green=if(count<=120,count,0)
| eval red=if(count>120,120,0)
| fields - count
If you do this and format your chart to be a stacked bar chart, you'll see that the "red" ones (whatever color they end up being) are capped at 120 and a different color than the "green" ones. But they won't actually be red and green - again, you'll need to turn this into a dashboard panel and modify it to get those specific colors.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn't appear that you can control the color of the resulting chart using just the search language - you'll have to create a dashboard panel to do that. However, here's how you can get the chart you want:
...your timechart search...
| eval green=if(count<=120,count,0)
| eval red=if(count>120,120,0)
| fields - count
If you do this and format your chart to be a stacked bar chart, you'll see that the "red" ones (whatever color they end up being) are capped at 120 and a different color than the "green" ones. But they won't actually be red and green - again, you'll need to turn this into a dashboard panel and modify it to get those specific colors.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok thanks that helps
Regards
Rob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Stephane
Thank you for taking the time to help.
This command is the same like
mysearch | search fieldname <=120
The problem here is, that the high numbers above 120 are disappeared and there are little gaps in the timeline,
which can't be seen easily i the report.
So I decide to show it as the highest possible number (120) in the report, that we see, attention here are potential failures.
If I could color this bar with 120 in a different color, this would be great.
Thank you
Rob
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To limit high number at 120 as you want you can use eval commande like this:
yourSearch.....|eval FieldName=FieldName|where FieldName<=120
where FieldName is the field that content your integer values
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,i'm seeing what i can do for you
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
