I am doing it with Pie Chart
and Trellis
but that starts paginating at 20 and there is no way to expand that (JIRAs = SPL-143101
and SPL-176965
). Ideally, I'd like to do it with a built-in visualization (maybe there is a way to hack a Scatter Chart
or a Bubble Chart
?) but if that is not possible, what is the best Mod Viz
app to do it from Splunkbase? Ideally it would sort them from worst to best like the Service Analyzer
in ITSI
. Actually, a tightly stacked single-value
visualization like that would work, too. Have any of you custom-built a Service Analyzer
view in core Splunk somehow?
The idea is to have something that is future-proof
such that if I add a new thing
that they new thing
shows up as a new visualization element without me having to do anything, kind of like when a new Service
is defined in ITSI
and it magically shows up on the Service Analyzer
page.
OK, I am working with Pie Charts and Trellis now that I finally figured out how to make the drilldown work. There are 2 only-documented-one-place tokens and another not-documented-anywhere one. I discovered these by copying my dashboard into the Dashboard Examples app and using <form script="event_token_browser.js">. For any of you struggling with dashboard tokens, this is a MUST HAVE tool:
.../en-US/app/simple_xml_examples/custom_event_tokens
They should get documented other places besides
the one place that I found 2 of them:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Viz/VisualizationTrellis
$trellis.split.<trellis_field_name>$ $trellis.name$ $trellis.value$
@woodcock Good find. Here's a tip: Provided one has the Dashboard Examples app already installed, one can leave their dashboard where ever they want, and pull resources from other installed apps. So that JavaScript can be pulled from its app, like this:
<form script="simple_xml_examples:event_token_browser.js">
I used a Bubble Chart
(or Scatter Chart
) and set all my bubbles to the same size. Key chart configs include:
X axis interval : 1
Mark Min size : 1
Mark Max size : 17
Key to the success of the graph are the 1st 3 columns...
Column 1
should correspond to the value that you want colored. In my case, i used four: Okay
, Caution
, Concern
& Critical
Column 2
is your X
value
Column 3
is your Y
value
| windbag
| eval lenSample=len(sample)
| eval positionStr="Position "+position
| eval health = case(lenSample<20,"Okay",lenSample<30,"Caution",lenSample<40,"Concern",lenSample>=0,"Critical")
| eval y=trunc(position/10)+1
| eval x=trunc(position%10)+1
| table health,x,y, positionStr
It works better like this:
| windbag
| head 100
| eval lenSample=len(sample)
| stats avg(lenSample) AS lenSample BY lang
| streamstats count AS position
| eval position = position - 1
| eval y = 0 - (trunc(position/10) + 1)
| eval x = position%10 + 1
| eval health = case(lenSample<20,"Okay",lenSample<30,"Caution",lenSample<40,"Concern",lenSample>=0,"Critical")
| table health x y lang
BONUS POINTS for the use of windbag
to generate sample event data!
@woodcock Service Analyzer kind of view from ITSI is possible in core Splunk
I think that perhaps you are not understanding what I mean by the Service Analyzer View in ITSI
. I am talking about this:
https://docs.splunk.com/Documentation/ITSI/4.4.0/User/ServiceAnalyzer
If you take a look at the MOST EXCELLENT answer provided by @awmorris, he is getting exactly what I mean. I looked at your link and it seems like you are more answering how to see an outlier
or swim lane
view in ITSI
, which is not the ask.
@woodcock The answer was up-voted, but not accepted. Oversight?
None of the answers works for me so I am hoping for another answer.
@woodcock how about this answer: https://answers.splunk.com/answers/529004/is-there-a-way-to-display-more-than-20-charts-at-a.html#an...