Quick Question: Charting maximum values

wyang6 · ‎04-18-2011

<option name="charting.data.count">3</option>

<option name="charting.chart">bar</option>

The lines above graphs a bar chart with values from the first 3 rows. How can I instead graph the highest 3 values? In addition, how can I scale the axis such that it is normalized with respect to the maximum value?

Thank you.

hazekamp · ‎04-18-2011

To graph the 3 highest values you can limit your search results to the 3 highest values. Depending on your search limits can be done in a few different methods.

For a single count field (i.e. when using stats):

| top limit=3 foo
| stats count by foo | sort 3 - <count_field>

For mult-dimensional count fieds (i.e. when using chart):

| addtotals | sort 3 - Total

For first 'n' results:

| head 3

hazekamp · ‎04-18-2011

For the search, you can do "| top limit=0". On the dashboard side, if you are using simple XML try the showPager option.

wyang6 · ‎04-18-2011

Thanks. If I also want a table with all the rows displayed, how can I get around

top limit=n
OR
head n

Quick Question: Charting maximum values

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases

Are you a member of the Splunk Community?

Quick Question: Charting maximum values

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Enterprise Security Content Update (ESCU) | New Releases