Solved: Re: Rename row by data case at line chart

Questioner · ‎08-03-2023

I want to rename row value by data case. (It is line chart)

The line chart row name changed by token $value$

if value is "iron" -> row must rename as "metal" -> and graph line become "black"

if value is "steak" -> row must rename as "food". -> and graph line become "red"

so I wrote the code like this, but it's not work at all.

<search>
<query>
...
  |eval dt = case("$value$" == "iron", "metal", 1=1, "food")
  |rename "row 1" as dt
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>

How could I solve this problem?

ITWhisperer · ‎08-04-2023

<search>
<query>
...
  |eval dt = case("$value$" == "iron", "metal", 1=1, "food")
  |eval {dt}='row 1'
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>

View solution in original post

ITWhisperer · ‎08-04-2023

<search>
<query>
...
  |eval dt = case("$value$" == "iron", "metal", 1=1, "food")
  |eval {dt}='row 1'
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>

Questioner · ‎08-04-2023

I added this code under my code, but it show three rows 😢

row 1, "metal", "dt"

How could I solve this?

I added this line

<search>
<query>
...
  |sort total_time
  |transpose
  |eval dt = case("$value$" == "iron", "metal", 1=1, "food")
  |eval {dt}='row 1'
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>

ITWhisperer · ‎08-04-2023

| fields - dt "row 1"

Questioner · ‎08-04-2023

OHHH There is something wrong my code.

It work!
Thank you for your help!!!😀

gcusello · ‎08-03-2023

Hi @Questioner,

could you share the full search? it isn't clear the algorithm you used.

Ciao.

Giuseppe

Questioner · ‎08-04-2023

<row>

<panel>

<chart>

<title>checking the making time</title>

<query>

| where make_end_time <= 50

| where amount != "None"

| where total_time <= 15

| where value_type = case("$v_type$"=="iron", 1, "$v_type$"=="steak", 2, 1=1, value_type)

| eval get_start_time = prepare - welcome

| eval wash_time = finish_wash - prepare

| eval make = make_time - finish_wash

| chart eval(round(avg(get_start_time), 3)) as "Start time" eval(round(avg(wash_time), 3)) as "cleaning" eval(round(avg(coook), 3)) as "making"

| sort total_time

|transpose

|rename "row 1" as "metal" |rename "row 2" as "food"</query>

</search>

<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.mode">standard</option>

<option name="refresh.display">progressbar</option>

</chart>

</panel>

</row>

This is my origin code! The data will send to the server

Rename row by data case at line chart

chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation