Splunk Search

What is the best way to get 100ish Greeen/Yellow/Red circles as tightly as possible in a visualization?

Esteemed Legend

I am doing it with Pie Chart and Trellis but that starts paginating at 20 and there is no way to expand that (JIRAs = SPL-143101 and SPL-176965). Ideally, I'd like to do it with a built-in visualization (maybe there is a way to hack a Scatter Chart or a Bubble Chart?) but if that is not possible, what is the best Mod Viz app to do it from Splunkbase? Ideally it would sort them from worst to best like the Service Analyzer in ITSI. Actually, a tightly stacked single-value visualization like that would work, too. Have any of you custom-built a Service Analyzer view in core Splunk somehow?

0 Karma

Esteemed Legend

The idea is to have something that is future-proof such that if I add a new thing that they new thing shows up as a new visualization element without me having to do anything, kind of like when a new Service is defined in ITSI and it magically shows up on the Service Analyzer page.

0 Karma

Esteemed Legend

OK, I am working with Pie Charts and Trellis now that I finally figured out how to make the drilldown work. There are 2 only-documented-one-place tokens and another not-documented-anywhere one. I discovered these by copying my dashboard into the Dashboard Examples app and using <form script="event_token_browser.js">. For any of you struggling with dashboard tokens, this is a MUST HAVE tool:
.../en-US/app/simplexmlexamples/customeventtokens

They should get documented other places besides
the one place that I found 2 of them:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Viz/VisualizationTrellis

$trellist.split.<trellis_field_name>$
$trellis.name$
$trellis.value$
0 Karma

Builder

@woodcock Good find. Here's a tip: Provided one has the Dashboard Examples app already installed, one can leave their dashboard where ever they want, and pull resources from other installed apps. So that JavaScript can be pulled from its app, like this:
<form script="simple_xml_examples:event_token_browser.js">

###

If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

I used a Bubble Chart (or Scatter Chart) and set all my bubbles to the same size. Key chart configs include:

X axis interval : 1
Mark Min size : 1
Mark Max size : 17

Key to the success of the graph are the 1st 3 columns...

Column 1 should correspond to the value that you want colored. In my case, i used four: Okay, Caution, Concern & Critical
Column 2 is your X value
Column 3 is your Y value

| windbag 
| eval lenSample=len(sample) 
| eval positionStr="Position "+position 
| eval health = case(lenSample<20,"Okay",lenSample<30,"Caution",lenSample<40,"Concern",lenSample>=0,"Critical") 
| eval y=trunc(position/10)+1 
| eval x=trunc(position%10)+1
| table health,x,y, positionStr

alt text

Esteemed Legend

It works better like this:

| windbag 
| head 100
| eval lenSample=len(sample) 
| stats avg(lenSample) AS lenSample BY lang
| streamstats count AS position
| eval position = position - 1
| eval y = 0 - (trunc(position/10) + 1) 
| eval x = position%10 + 1 
| eval health = case(lenSample<20,"Okay",lenSample<30,"Caution",lenSample<40,"Concern",lenSample>=0,"Critical") 
| table health x y lang
0 Karma

Esteemed Legend

BONUS POINTS for the use of windbag to generate sample event data!

0 Karma

SplunkTrust
SplunkTrust

@woodcock Service Analyzer kind of view from ITSI is possible in core Splunk

  1. either with Line/Area Chart with series compare legends (refer to one of my older answers: https://answers.splunk.com/answers/752153/building-a-dashboard-to-help-tune-our-network-sens.html)
  2. or else through Horizon Chart Custom Viz. See if one of these fits your needs.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Esteemed Legend

I think that perhaps you are not understanding what I mean by the Service Analyzer View in ITSI. I am talking about this:
https://docs.splunk.com/Documentation/ITSI/4.4.0/User/ServiceAnalyzer
If you take a look at the MOST EXCELLENT answer provided by @awmorris, he is getting exactly what I mean. I looked at your link and it seems like you are more answering how to see an outlier or swim lane view in ITSI, which is not the ask.

0 Karma

Builder

@woodcock The answer was up-voted, but not accepted. Oversight?

###

If this reply helps you, an upvote would be appreciated.
0 Karma

Esteemed Legend

None of the answers works for me so I am hoping for another answer.

0 Karma

SplunkTrust
SplunkTrust

@woodcock how about this answer: https://answers.splunk.com/answers/529004/is-there-a-way-to-display-more-than-20-charts-at-a.html#an...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma