Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is a bar chart not showing up with my search?

zd00191
Communicator
‎07-10-2015 03:07 PM 
tag="*" LocID="-7" SbuID="-7"  | dedup tag |rename ResponseDisplay AS "Application Response", AvailabilityDisplay AS "Application Availability" |chart values("Application Availability") values("Application Response") by tag

I am running the search above trying to get a bar chart with two data series, but the chart will not show up? please help! Thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-10-2015 03:17 PM

You cannot chart values because it creates a mutli-value field and because it usually creates a non-numeric field. If you switch your values functions for count you will see your chart; if you switch it to max or last and your fields are numeric it will also plot. I do not know what you are trying to show but this is what is preventing the visualization.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-10-2015 03:17 PM

You cannot chart values because it creates a mutli-value field and because it usually creates a non-numeric field. If you switch your values functions for count you will see your chart; if you switch it to max or last and your fields are numeric it will also plot. I do not know what you are trying to show but this is what is preventing the visualization.

0 Karma
Reply
Solved! Jump to solution

zd00191
Communicator
‎07-10-2015 03:20 PM

tag="*" LocID="-7" SbuID="-7" | dedup tag |rename ResponseDisplay AS "Application Response", AvailabilityDisplay AS "Application Availability" |stats last("Application Availability") last("Application Response") by tag

it still does not work

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-10-2015 03:23 PM

It should if you click on the "Visualization" tab. If you switch stats for chart then it will automatically switch to the Visualization tab.

0 Karma
Reply
Solved! Jump to solution

zd00191
Communicator
‎07-10-2015 03:29 PM

100% is the value in both availability and reponse...I think it needs ot just be 100 so it is a number

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-10-2015 09:56 PM

Try this:

tag="*" LocID="-7" SbuID="-7"  | dedup tag | rex field=ResponseDisplay "(?<Application_Response>\d+)" | rex field=AvailabilityDisplay "(?<Application_Availability>\d+)" | chart values(Application_Availability) values(Application_Response) by tag

I accidentally deleted some of our conversation and I am sorry about that. You said that the above is giving a rex error but I don't see how that is possible unless you changed it Be aware that the stuff inside angle brackets (``) is LITERAL and should not be modified in any way. Just take the search above and paste it as-is and it should work fine.

Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...