Splunk Search
Highlighted

Single value visualization on mutliple-series result

Contributor

I have a search using the rangemap command which generates a table with three fields, e.g.:

domain | uptime | range
example.com | 99.5 | yellow
mydomain.com | 99.999 | green
anotherdomain.com | 99.2 | red

Is there a way to get a single value visualization on each series to include in a dashboard, either with simple or advanced xml?

Thanks
Simon

Tags (3)
0 Karma
Highlighted

Re: Single value visualization on mutliple-series result

Splunk Employee
Splunk Employee

I think that is a great idea.

I have done something similar to this by separating the range into several series, where each entry only shows up in one series, then using stackmode "stacked". This can be done in either simple or advanced xml. Take a look at the table I would try to create:

domain | red | yellow | green 
example.com | 0 | 1 | 0
mydomain.com | 0 | 0 | 1
anotherdomain.com | 1 | 0 | 0

Step 1 - search:

index=_internal | stats count by sourcetype | rangemap field=count green=0-100 yellow=101-1000 default=red | eval red=if(range=="red", 1, 0) | eval yellow=if(range=="yellow", 1, 0) | eval green=if(range=="green", 1, 0) | table sourcetype red yellow green

Step 2 - graph - add this to a panel in a dashboard and edit visualization to be column in stacked mode

Step 3 - change the series color to match - check the docs here

View solution in original post

Highlighted

Re: Single value visualization on mutliple-series result

Contributor

This is a great solution, thanks!

0 Karma