Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to show three values in label in visualization of splunk

karthikeyan_k14
New Member
‎01-12-2017 01:44 AM

in my chart I am showing three variable values using xyseries command.
But looking at bar chart we can see only two values in label, other value in legend.
I need to show three values in Label, not in legend or variation in colors.

Please provide solution.

Tags (4)
0 Karma
Reply

DalJeanis
Legend
‎02-10-2017 12:18 PM

The values are already there in the label.

If the fieldnames are service_foo, host_name and count, and the values are service1, host1 and 23, then the label is showing 

service_foo: service1
host1:           23

As far as _time, it doesn't exist in the query at that point.

So, for purposes of discussion, here's a query that generates random counts of events across a time period for 4 hosts in 3 different "services"

| gentimes start="01/25/2017:23:00:00" end="01/27/2017:01:00:00" increment=23m 
| streamstats count as baseEvent | eval series="A"
| append[| gentimes start="01/26/2017:03:00:00" end="01/26/2017:21:00:00" increment=47m | streamstats count as baseEvent | eval series="B"]
| append[| gentimes start="01/26/2017:01:17:00" end="01/26/2017:23:18:00" increment=21m | streamstats count as baseEvent | eval series="C"]
| eval rand1 = random()
| eval adder1 = tonumber(substr(tostring(rand1),1,4))
| eval adder2 = tonumber(substr(tostring(rand1),max(len(rand1)-4,3),4))
| eval sometimes=mvappend(tostring(starttime),tostring(starttime+adder1),tostring(starttime+adder2))
| mvexpand sometimes 
| eval _time=sometimes 
| eval rand2 = random() 
| eval value=substr(rand2,len(rand2)-2,2)
| eval rand3 = random()
| eval host = case(rand3>1800000000,"Host1",rand3>1200000000,"Host2",rand3>600000000,"Host3",true(),"Host4")
| bin _time span=15m
| stats count as eventcount, sum(value) as sumvalue by _time host series
| rename series as service_foo, host as host_name, sumvalue as count
| table _time, service_foo, host_name, count

Everyone can drop that into your current xyseries command like so:

| xyseries service_foo, host_name, count
0 Karma
Reply

cmerriman
Super Champion
‎01-12-2017 05:47 AM

can you provide syntax/current visualization?

0 Karma
Reply

karthikeyan_k14
New Member
‎01-30-2017 06:21 AM

Is it possible to get answer for this?

0 Karma
Reply

cmerriman
Super Champion
‎01-30-2017 06:32 AM

try | xyseries service_foo host_name value

the last field in an xyseries is supposed to be the value being charted.
If that doesn't work, we might need more information. what data looks like before and after the xyseries. that command is finicky.

0 Karma
Reply

karthikeyan_k14
New Member
‎01-30-2017 06:37 AM

if we need to show 4 or more value in lable means, how can I?

this is for host cpu utilization. Need to show Process %, host name,application running and counts, time.

0 Karma
Reply

karthikeyan_k14
New Member
‎01-30-2017 06:38 AM

this is for host cpu utilization. Need to show Process %, host name,application running and counts, time, while placing the pointer in bar chart

0 Karma
Reply

somesoni2
Revered Legend
‎01-30-2017 07:10 AM

You can merge two fields into 1 using string concatenation in some and use that field for charting so that the label of concatenated field show 2 label values. Need full, actual search to give more accurate suggestions.

0 Karma
Reply

karthikeyan_k14
New Member
‎02-02-2017 09:00 PM

how to show five values individual in label in visualization of splunk

0 Karma
Reply

cmerriman
Super Champion
‎02-03-2017 04:53 AM

you can just eval as many fields together as you need:

|eval label=field1+"-"+field2+"-"+field3+"-"+.......|stats count by label

just as an example would give you the count for every label that had all these random fields concatenated together.

0 Karma
Reply

karthikeyan_k14
New Member
‎02-10-2017 02:31 AM

I have to show additional 2 values and filed name in label apart from x and y values in bar chat.

  1. Host Name=xxxx
  2. Servcie: yyyy
  3. _time
  4. CPU count. in bar chart.
0 Karma
Reply

karthikeyan_k14
New Member
‎01-12-2017 06:08 AM

index.foo host="foo" |.... eval foo...| xyseries service_foo host_name count.....
In this above query, I can see two field values in bar chart (labels)..look like
1.Service_foo : value
2. host_name: count's value & Host_name are showing in legend.

But I need all three value with field name in label while pointing the specific bar in bar chart. its should be like
1. Service_foo: value,
2. count : value,
3.host_name:value.

how to come up with above three value in label in bar chart.

0 Karma
Reply

niketn
Legend
‎01-13-2017 10:29 AM

Would it be possible for you to provide sample values for the three fields i.e.

service_foo host_name count

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...