Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is my search not populating the visualization tab with data?

rwells
Engager
‎04-28-2016 10:21 AM

When I run this search, everything runs fine, but I don't understand why my visualization tab does not populate. Does anyone have any idea what I might be doing wrong?
What I am trying to do is convert all the files into the most appropriate size and graph them

eventtype=egress_* File_Type=*| stats sum(Detail_File_Size) as sum_of_Data by File_Type | eval Data_converted=case(       sum_of_Data>=(1024*1024*1024*1024),round(sum_of_Data/(1024*1024*1024*1024),0)."TB",      sum_of_Data>=(1024*1024*1024),round(sum_of_Data/(1024*1024*1024),0)."GB",      sum_of_Data>=(1024*1024),round(sum_of_Data/(1024*1024),0)."MB",  sum_of_Data>=1024,round(sum_of_Data/1024,0)."KB",  1=1,sum_of_Data."B")      | table File_Type, Data_converted

alt text

Preview file
80 KB
Reply

sundareshr
Legend
‎04-28-2016 01:28 PM

You need a transforming command (such as stats, timechart, or top) to return search results in a data structure that supports both tables and chart visualizations. Remove the table from the end and change your search like this

eventtype=egress_* File_Type=*| stats sum(Detail_File_Size) as Data_converted by File_Type | eval Data_converted=case( Data_converted>=(1024*1024*1024*1024),round(Data_converted/(1024*1024*1024*1024),0)."TB",      Data_converted>=(1024*1024*1024),round(Data_converted/(1024*1024*1024),0)."GB",      Data_converted>=(1024*1024),round(Data_converted/(1024*1024),0)."MB",  Data_converted>=1024,round(Data_converted/1024,0)."KB",  1=1,Data_converted."B")
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...