Splunk Search

Scatter plot with text values and colour

alex_collins_in
New Member

I'm trying to plot the following as a scatter chart:

  • The y-axis should be the namespace. Namespace is a small set of strings, e.g. "default", "argo" or "kube-system".
  • The x-axis is time.
  • Each point should be coloured either green or red depending on whether or not the workflow succeeded or failed.

Problem 1 - you cannot have non-numeric x and y axis. Time does not appear to be numeric. So how do I convert my namespace to a number? I think it should be 0..N based on it's index is the values that namespace can be.

Problem 2 - how to colour points?

This is how far I have gotten so far:

index=foo sourcetype=eventrouter host="event-router-*" source="foo/*" event.involvedObject.kind=Workflow (event.reason=WorkflowSucceeded OR event.reason=WorkflowFailed) | convert num(_time) as x | table event.metadata.namespace x event.reason

 

Labels (1)
0 Karma

Random_Walk
Path Finder

Hi @Anonymous ,

To map the namespace to a number you can use an eval case like:

| eval NameIndex=case(NameSpace=="default",0, NameSpace=="argo",1, NameSpace=="kube-system",2, NameSpace=="AWS",3)

The scatterplot colouring I'm not so sure, most of the charts have colour values in the XML, but I've not played with scatterplots.

 

Kind Regards,

R.

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...