Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why line and area chart are not available trying to create a pivot?

maxdranitski
Explorer
‎07-28-2014 09:49 AM

Hi there,

I prepared data model for a pivot - it based on sql query.
Data model contain with Root search and some childs...
When I'm trying to create Pivot: Line chart and Area chart are not available for me in left panel. Why does it happen?

alt text

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattness
Splunk Employee
Splunk Employee
‎07-28-2014 02:45 PM

Martin is right in that you can't build a line or area chart without at least one split row element in the table. Split row elements provide the x-axis for the line/area chart, while column value elements provide the y-axis values for the line/area chart. You already have a column value element (the "Count of " column that you get when you first enter the Pivot).

Unfortunately, there's another limitation with search-based objects: Line and area charts in Pivot require that _time be auto-extracted as an attribute. Currently, search-based objects do not extract _time, because they are designed to return table rows for transforming searches. If you are basing this pivot on a root search object, this is probably why the line and area chart types are unavailable to you.

Try to base your pivot on an event-based object if possible. Event-based objects are far more versatile. You really only need to use search-based objects if you have to base your pivot on a transforming search that does not return events but rather tables of statistical information.

For more information on search-based object cons and pros, see: http://docs.splunk.com/Documentation/Splunk/6.1.2/Knowledge/Designdatamodelobjects#Add_a_root_search...

View solution in original post

Reply
Solved! Jump to solution
Solution

mattness
Splunk Employee
Splunk Employee
‎07-28-2014 02:45 PM

Martin is right in that you can't build a line or area chart without at least one split row element in the table. Split row elements provide the x-axis for the line/area chart, while column value elements provide the y-axis values for the line/area chart. You already have a column value element (the "Count of " column that you get when you first enter the Pivot).

Unfortunately, there's another limitation with search-based objects: Line and area charts in Pivot require that _time be auto-extracted as an attribute. Currently, search-based objects do not extract _time, because they are designed to return table rows for transforming searches. If you are basing this pivot on a root search object, this is probably why the line and area chart types are unavailable to you.

Try to base your pivot on an event-based object if possible. Event-based objects are far more versatile. You really only need to use search-based objects if you have to base your pivot on a transforming search that does not return events but rather tables of statistical information.

For more information on search-based object cons and pros, see: http://docs.splunk.com/Documentation/Splunk/6.1.2/Knowledge/Designdatamodelobjects#Add_a_root_search...

Reply
Solved! Jump to solution

maxdranitski
Explorer
‎08-25-2014 11:43 AM

Thank you, mattness!

Unfortunately this problem is still actual for me. I don't have any time criteria - and will not have... Anyway, I needed it to create a dashboard based on it. So, here are the way around which I have found: Just create a pivot using required data with any chart type (don't pay serious attention to it on this step) and save it as dashboard - when you open it on dashboard you will be able to change your chart type there as you would like to.. and without any blockers! =)))

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-28-2014 10:38 AM

Based on that screenshot you only have one result row. It doesn't make sense to draw a line or area chart from only one row - add something to split rows by, e.g. time, and try again.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...