Splunk Search

Why line and area chart are not available trying to create a pivot?

maxdranitski
Explorer

Hi there,

I prepared data model for a pivot - it based on sql query.
Data model contain with Root search and some childs...
When I'm trying to create Pivot: Line chart and Area chart are not available for me in left panel. Why does it happen?

alt text

Tags (3)
0 Karma
1 Solution

mattness
Splunk Employee
Splunk Employee

Martin is right in that you can't build a line or area chart without at least one split row element in the table. Split row elements provide the x-axis for the line/area chart, while column value elements provide the y-axis values for the line/area chart. You already have a column value element (the "Count of " column that you get when you first enter the Pivot).

Unfortunately, there's another limitation with search-based objects: Line and area charts in Pivot require that _time be auto-extracted as an attribute. Currently, search-based objects do not extract _time, because they are designed to return table rows for transforming searches. If you are basing this pivot on a root search object, this is probably why the line and area chart types are unavailable to you.

Try to base your pivot on an event-based object if possible. Event-based objects are far more versatile. You really only need to use search-based objects if you have to base your pivot on a transforming search that does not return events but rather tables of statistical information.

For more information on search-based object cons and pros, see: http://docs.splunk.com/Documentation/Splunk/6.1.2/Knowledge/Designdatamodelobjects#Add_a_root_search...

View solution in original post

mattness
Splunk Employee
Splunk Employee

Martin is right in that you can't build a line or area chart without at least one split row element in the table. Split row elements provide the x-axis for the line/area chart, while column value elements provide the y-axis values for the line/area chart. You already have a column value element (the "Count of " column that you get when you first enter the Pivot).

Unfortunately, there's another limitation with search-based objects: Line and area charts in Pivot require that _time be auto-extracted as an attribute. Currently, search-based objects do not extract _time, because they are designed to return table rows for transforming searches. If you are basing this pivot on a root search object, this is probably why the line and area chart types are unavailable to you.

Try to base your pivot on an event-based object if possible. Event-based objects are far more versatile. You really only need to use search-based objects if you have to base your pivot on a transforming search that does not return events but rather tables of statistical information.

For more information on search-based object cons and pros, see: http://docs.splunk.com/Documentation/Splunk/6.1.2/Knowledge/Designdatamodelobjects#Add_a_root_search...

maxdranitski
Explorer

Thank you, mattness!

Unfortunately this problem is still actual for me. I don't have any time criteria - and will not have... Anyway, I needed it to create a dashboard based on it. So, here are the way around which I have found: Just create a pivot using required data with any chart type (don't pay serious attention to it on this step) and save it as dashboard - when you open it on dashboard you will be able to change your chart type there as you would like to.. and without any blockers! =)))

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Based on that screenshot you only have one result row. It doesn't make sense to draw a line or area chart from only one row - add something to split rows by, e.g. time, and try again.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...