Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Replicating the Output of a Field Popup/Bubble?

interrobang
Explorer
‎02-04-2025 03:12 PM

Possibly a silly question, but I've wondered this for a while and now it'd actually be exactly what I need; I've got a simple http traffic monitor dash, with a graph of status message counts. Underneath, I want a panel which summarises it but ideally in 1m bins per row eg.

9:00AM - [OK] = 500
                   [Too many open files] = 30
                   [Connection timed out] = 2
                   [Connection refused] = 1
-
9:01AM - [OK] = 459
                   [Too many open files] = 21
                   [Connection timed out] = 3
                   [Connection refused] = 2
-
9:02AM etc.

Now obvs this is a trivial stats query with a little finessing, which I've added to my dashboard as a statistics panel underneath the graph of the counts over an hour. 

This achieves a common monitoring goal. I've got the hour span graph and then at-a-glance reference with 5x1min snap shots of what the web server is experiencing currently.. 

However, the output of a stats panel doesn't exactly look the greatest as above, what I'm actually wondering is, can I make it appear like the attached image below of the bubble popup (not sure what you guys call this), when you click on any field within a Splunk search?

valuesbubble.jpg

Like that output is perfect at-a-glance detail, count, %, and a visual bar etc. It's exactly what i'm poorly trying to replicate with my stats panel, and tbh what I've poorly replicated in many other situations. Can I replicate that in a dash somehow? Have wanted to ask this for a while...

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎02-06-2025 01:09 AM

How about using the "top" command, something like this?

index=_internal group=per_index_thruput series=* 
| top 10 host

livehybrid_0-1738832934267.png

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎02-05-2025 02:02 AM

@interrobang 

How about something like this?

index=_internal group=per_index_thruput series=* 
| bin _time span=10m 
| stats count by _time host
| stats list(*) AS * by _time 
| table _time host count

Which produces a table that looks like:

livehybrid_0-1738749723572.png

Please let me know how you get on and consider upvoting/karma this answer if it has helped.
Regards

Will

0 Karma
Reply
Solved! Jump to solution

interrobang
Explorer
‎02-05-2025 02:48 PM

checkhost.jpg

Yeh for reference I've got that kinda thing, it's super simple.

What I'm wondering is, if theres an easy way or even any way, to replicate the popup bubble, so that it'd look like this:

statuscount.jpg

Cause that would be a million times better. It's clear enough I could forget the 5x1m rows... and it's like being handed out for free instantly when clicking on any field in a search...

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎02-06-2025 01:09 AM

How about using the "top" command, something like this?

index=_internal group=per_index_thruput series=* 
| top 10 host

livehybrid_0-1738832934267.png

 

0 Karma
Reply
Solved! Jump to solution

interrobang
Explorer
‎02-06-2025 09:33 PM

ah yeh, dont often use top, guess that looks as close as we're gonna get.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...