Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart Cell value replace numeric value by conditional string

rishiaggarwal
Explorer
‎01-17-2016 06:24 PM

Hi All, i am newbie to Splunk and need an assistance in writing a splunk dashboard where i wish to replace the average transaction duration value with a range string. For eg. if the Transaction duration is between 0-6 sec, rather then displaying an actual average duration (number) it should display a text "Green".

Condition : 0-6 Green , 7-20 Amber, >20 Red

Draft Query is given below.

index=XXX_XXX  sourcetype=XXX_YYY source=YXYX_YCYC 
Search String 
| transaction correlationId keepevicted=true 
| timechart span=5m avg(duration) as response_health by activityName
| convert ctime(_time) as _time timeformat="%H:%M %p"  
| fillnull

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎01-17-2016 09:03 PM

Try this

<your search>|untable _time activityName response_health|eval color=case(response_health==0 AND response_health<7,"Green",response_health> 6 AND response_health<21,"Amber" ,1=1,"Red")|xyseries _time activityName color

Instead of 1=1, you can provide response_heath>20 and give another default value in case the other three conditions are not matched.

Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎01-17-2016 09:03 PM

Try this

<your search>|untable _time activityName response_health|eval color=case(response_health==0 AND response_health<7,"Green",response_health> 6 AND response_health<21,"Amber" ,1=1,"Red")|xyseries _time activityName color

Instead of 1=1, you can provide response_heath>20 and give another default value in case the other three conditions are not matched.

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

rishiaggarwal
Explorer
‎01-17-2016 10:37 PM

Thanks a heap. This solution worked for me.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...