Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Rename row by data case at line chart
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Questioner
Path Finder
08-03-2023
07:38 PM
I want to rename row value by data case. (It is line chart)
The line chart row name changed by token $value$
if value is "iron" -> row must rename as "metal" -> and graph line become "black"
if value is "steak" -> row must rename as "food". -> and graph line become "red"
so I wrote the code like this, but it's not work at all.
<search>
<query>
...
|eval dt = case("$value$" == "iron", "metal", 1=1, "food")
|rename "row 1" as dt
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>
How could I solve this problem?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
08-04-2023
12:14 AM
<search>
<query>
...
|eval dt = case("$value$" == "iron", "metal", 1=1, "food")
|eval {dt}='row 1'
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
08-04-2023
12:14 AM
<search>
<query>
...
|eval dt = case("$value$" == "iron", "metal", 1=1, "food")
|eval {dt}='row 1'
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Questioner
Path Finder
08-04-2023
01:21 AM
I added this code under my code, but it show three rows 😢
row 1, "metal", "dt"
How could I solve this?
I added this line
<search>
<query>
...
|sort total_time
|transpose
|eval dt = case("$value$" == "iron", "metal", 1=1, "food")
|eval {dt}='row 1'
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
08-04-2023
01:55 AM
| fields - dt "row 1"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Questioner
Path Finder
08-04-2023
02:16 AM
OHHH There is something wrong my code.
It work!
Thank you for your help!!!😀
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
08-03-2023
11:57 PM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Questioner
Path Finder
08-04-2023
01:07 AM
<row>
<panel>
<chart>
<title>checking the making time</title>
<search>
<query>
| where make_end_time <= 50
| where amount != "None"
| where total_time <= 15
| where value_type = case("$v_type$"=="iron", 1, "$v_type$"=="steak", 2, 1=1, value_type)
| eval get_start_time = prepare - welcome
| eval wash_time = finish_wash - prepare
| eval make = make_time - finish_wash
| chart eval(round(avg(get_start_time), 3)) as "Start time" eval(round(avg(wash_time), 3)) as "cleaning" eval(round(avg(coook), 3)) as "making"
| sort total_time
|transpose
|rename "row 1" as "metal" |rename "row 2" as "food"</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.text">time(s)</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">top</option>
<option name="height">363</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
</chart>
</panel>
</row>
This is my origin code! The data will send to the server
This is my origin code! The data will send to the server
Get Updates on the Splunk Community!
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Accelerating Observability as Code with the Splunk AI Assistant
We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...
