Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About HattrickNZ
HattrickNZ
Motivator
Member since:
10-29-2012
07-03-2021
Community Statistics
| Posts | 515 |
| Solutions | 13 |
| Karma Given | 181 |
| Karma Received | 55 |
| Member Since | 10-29-2012 |
Activity Feed
- Got Karma for Re: Can I press enter in a splunk search and not do a search it just moves the text to a new line.. 01-17-2025 03:15 PM
- Got Karma for Is there a way to remove the `Real-time` part that appears from the drop down time picker. 06-19-2024 02:16 PM
- Got Karma for In a dashboard, how can I remove the panels that say "No results found." with code or something equivalent?. 09-12-2022 01:38 AM
- Got Karma for declaring a variable in splunk dasboard and make available to all searches. 08-29-2022 08:58 AM
- Karma Re: calculating values in new rows/columns and appending based on values in existing rows/columns for martin_mueller. 07-03-2021 02:24 AM
- Posted Re: How to convert epoch time with milliseconds into splunk at indexing time on Splunk Search. 07-02-2021 08:56 PM
- Karma Re: How to restart a splunk on windows through Command Prompt and control panel? for kamlesh_vaghela. 07-02-2021 03:18 PM
- Got Karma for Commented code moves in splunk Dashboard. 06-17-2020 12:40 PM
- Karma Re: the way fields are arranged in a timechart / join combination particularily the 2nd search being joined for woodcock. 06-05-2020 12:50 AM
- Karma Re: stats count(*) as * by host VERSUS stats count(kpi1) as kpi1 ... by host. for jkat54. 06-05-2020 12:50 AM
- Karma Re: 2 dropdowns, Can I pass the value/choice from 1 dropdown into the choice of another dropdown? for nareshinsvu. 06-05-2020 12:50 AM
- Karma Re: 2 dropdowns, Can I pass the value/choice from 1 dropdown into the choice of another dropdown? for niketn. 06-05-2020 12:50 AM
- Karma Re: In a dashboard, how can I remove the panels that say "No results found." with code or something equivalent? for cmerriman. 06-05-2020 12:50 AM
- Karma Re: In a dashboard, how can I remove the panels that say "No results found." with code or something equivalent? for cmerriman. 06-05-2020 12:50 AM
- Karma Re: I want to do `latest=-10m@5m` for nvanderwalt_spl. 06-05-2020 12:50 AM
- Karma Re: I want to do `latest=-10m@5m` for MuS. 06-05-2020 12:50 AM
- Karma Re: I want to do `latest=-10m@5m` for maheshsn. 06-05-2020 12:50 AM
- Karma Re: How to sort the column names alphabetically at the end of the search? for chrisyounger. 06-05-2020 12:50 AM
- Karma Re: How to sort the column names alphabetically at the end of the search? for niketn. 06-05-2020 12:50 AM
- Karma Re: How to sort the column names alphabetically at the end of the search? for chrisyounger. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
05-10-2015
03:05 PM
tks will have a look at that
Found this here which helped me get a better grasp of it.
index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]
... View more
05-07-2015
08:27 PM
Can it be done in basic XML? Or do you have to got to advanced XML or HTML or do you need css or js?
... View more
05-07-2015
06:56 PM
I have the follwoing search that does prediction, and what I want to do is add another column to this graph, in this case it is test=120000. This work as I would expect.
... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) by Device | predict Device1 as predict1 future_timespan=10 holdback=2 | eval test=120000
However I would like to get it to work using a field that is already in the dataset for example:
... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) by Device | predict Device1 as predict1 future_timespan=10 holdback=2 | eval test=field2
How do I do this?
I cannot get it to work, nothing shows up. I have even tried eval test=max(field2) but I am not sure if this can be done or is it my lack of understanding? I do not think I can place it as a parameter to predict as this will break my predict function.
EDIT1 Alternative method but same INCORRECT RESULT
I can actually put it as a parameter to the timechart, however it does not show any values for future dates which is what I am trying to achieve using the eval method.
... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 max(field2) as f2 | predict f1 as predict1 future_timespan=10 holdback=2
EDIT2 Alternative method but same INCORRECT RESULT
Another way to do it, in using appendcols , but it produces the same as the above 2 methods:
... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 | predict f1 as predict1 future_timespan=10 holdback=2 | appendcols [search index=... earliest=-5d@d latest=+10d@d Device=Device1 | timechart max(field2) as f2 ]
here is a pic of what I am talking about: (I want the yellow line to continue for the whole timespan)
EDIT3 Alternative method but alomost CORRECT RESULT sogetting better
now this at least looks like I am getting somewhere.
I have to do an appendcols of a new predict function and then drop the upper* and lower* fields to get what I want.
The downside to this is that you lose interactivity with the graph, which I don't like, but it is almost acceptable.
... earliest=-5d@d latest=+10d@d Device=Device1 | timechart span=d max(field1) as f1 | predict f1 as predict1 future_timespan=10 holdback=2 | appendcols [search index=... earliest=-5d@d latest=+10d@d Device=Device1 | | timechart max(field2) as f2 | predict f2 as f2 future_timespan=10] | fields - upper* lower*
this is a pic of what I have now
... View more
05-07-2015
06:19 PM
@tlagatta_splunk thanks very much for your help on this....
How do I not include todays value in the real values, because I am working on max values per day and if I run this search in the morning the max for today won't be hit til later today, so I would like to remove(not use) todays value? In fact I can do this using holdback=1. But that won't stop it showing in the graph. I wonder is there a way to remove this?
My search looks something like:
...earliest=-120d@d latest=+300d@d | timechart span=d max(KPI1) by DeviceName | predict Device1 as predict1 future_timespan=300 holdback=10
... View more
05-07-2015
05:16 PM
I have this search, and this at least gives me some output but not as I would like.
index=_internal sourcetype="splunk_web_access" | timechart count(uri) | eval test=if(_time<="2015-04-29",450,600)
But what I want to do is be able to control the value of the test field relative to the _time field.
For instance, I would like test to be equal to 450 up to this date "2015-04-29" and then 600 afer that.
What is the corerct syntax to do this?
The output of my data looks something like this:
_time count(uri) test
2015-04-08 1 450
2015-04-09 1 450
2015-04-10 1 450
2015-04-11 0 450
... View more
05-07-2015
03:45 PM
5 Karma
I have a very simple test dashboard(see code below)
It basically has 2 rows, with 1 panel in the 1st and multiple panels in the 2nd.
What I want to know is what is the XML code to use to insert some text inbetween the rows? This will basically act as a divider/description of the Row that follows.
I have tried something like this:
<label>THIS IS A LABEL</label>
All my XML CODE below:
<dashboard>
<label>dynamic_gauges</label>
<description>these are dynamic gagues
want to see how many I can fit in a row without further code.
And would alos like to add percentages</description>
<row>
<panel>
<table>
<title>first1</title>
<search>
<query>index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]</query>
<earliest></earliest>
<latest></latest>
</search>
</table>
</panel>
</row>
<label>THIS IS A LABEL</label>
<row>
<panel>
<chart>
<title>1st gauge</title>
<search>
<query>index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]</query>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">fillerGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>2nd gauge</title>
<search>
<query>index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]</query>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">fillerGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>3rd gauge</title>
<search>
<query>index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]</query>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">fillerGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>4th gauge</title>
<search>
<query>index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]</query>
<earliest></earliest>
<latest></latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">markerGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>5th gauge</title>
<search>
<query>index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]</query>
<earliest></earliest>
<latest></latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">markerGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>6th Gauge</title>
<search>
<query>index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]</query>
<earliest></earliest>
<latest></latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">markerGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>7th Gauge</title>
<search>
<query>index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]</query>
<earliest></earliest>
<latest></latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">markerGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>8th Gauge</title>
<search>
<query>index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]</query>
<earliest></earliest>
<latest></latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">markerGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>9th Gauge</title>
<search>
<query>index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]</query>
<earliest></earliest>
<latest></latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">markerGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<chart>
<title>10th Gauge</title>
<search>
<query>index=_internal earliest=-5m sourcetype=splunkd | stats count | gauge count [search sourcetype=splunkd index=_internal earliest=-20m latest=-10m | stats count as max | eval first=0 | eval second=10 | eval third=max/2 | eval fourth=max | eval range=first+" "+second+" "+third+" "+fourth | return $range]</query>
<earliest></earliest>
<latest></latest>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">markerGauge</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
</dashboard>
... View more
05-07-2015
03:22 PM
tks very much for this, exactly what I was looking for:
And just for my reference/clarification.
I get an output like this:
x y1 y2 y3 y4
709 0 10 689.500000 1379
which comes from the seach something like:
x --> stats count | gauge count (the will be the value in the gauge)
y1 --> first (y's are the different ranges in the gauge )
y2 --> second
y3 --> third
y4 --> fourth
I presume you can have more y s?
... View more
05-07-2015
02:03 PM
I am looking at the radial/marker/and filler gauge viualistions.
As I understand it I have to have my search so that there is only one value present in the stats tab, done with a serach like this:
... | stats max(kpi1) as KpiName in this case it is 377.12
And this produces something like this for the filler gauge (similar for radial/marker gauges):
<a href="http://tinypic.com?ref=2zgrjw8" target="_blank"><img src="http://i57.tinypic.com/2zgrjw8.jpg" border="0" alt="Image and video hosting by TinyPic"></a>
Now what I want is to be able to contol the max value (i.e. 500 in this case) of the gauge dynmically?
THe way to do this currently is go into format and adjust the colour ranges accordingly, I want to make this more dynamic.
Can I do something like this by having this extra value produced from my search? The field is available in the dataset.
Also, but I may ask this in another questions is how can I show the % value(i.e. 377.12/500*100 =75%) here also. Can this be done using the search or do i have to use advanced XML or even HTML.
... View more
05-07-2015
01:37 PM
esix_splunk comment above works, but still not 100% sure if its the null values or the missing fields. It might be that field1 is associated with group1 and field2 is associated with group2, and I am trying to sum field1 and field2
... View more
05-04-2015
08:32 PM
this works, if LABEL1 is the column header
...| timechart span=1h sum(kpi1) as Name1 by LABEL | rename LABEL1 as test123
... View more
05-04-2015
08:24 PM
I have a search
...| timechart span=1h sum(kpi1) as Name1 by LABEL
This gives a 2 column output with _time and LABEL1 as there headers.
How Can I control the value LABEL1 of the header for the colum to be something else?
I have tried doing ...| strcat LABEL "-ALT" LABEL_ALT | timechart span=1h sum(kpi1) as Name1 by LABEL_ALT but this seem to divide the values in the ` LABEL1 by 2 which is not what I want, maybe it is something to do with the data format.
... View more
05-04-2015
04:20 PM
using this seems to make this work sum(eval(c84163237 + c84163241)) as Sum_Traffic3 but still not fully sure why. As the values are genereally 0 or greater by doing .. | stats values(c84163237) values(c84163241)
Sorry, I cannot share my data set.
... View more
05-03-2015
03:33 PM
tks, I think I have it
this line:
name="charting.chart.overlayFields">"maxTput_Mbps_perDay: C01K"</option> <option
should be written as:
name="charting.chart.overlayFields">"maxTput_Mbps_perDay: $token1$"
This way the formatting will be applied accross all the different choices in the dropdown.
... View more
05-03-2015
03:25 PM
tks, so I changed the default value to another option, then reloaded the page and the formatting does not hold for that graph still. However if I pick from the drop down the initial default value the original formatting is returned.
How do I get it to remember this formatting setting for all the different dropdown options?
what od you mean the problem is coming from my data? Should I be able to get this to work?
... View more
04-30-2015
03:33 PM
I have created a dashboard using forms with input tags creting a dropdown.
In my search I use $token1$ used to control the search
I have one graph that has 2 serieses(i.e. 2 names in the legend)
1 series is a column
with the 2nd series I have selected as chart overlay and i have selected View as Axis
Now this all works but when I go to select a different token from the dropdown e.g. C01K to C02K then the formatting of the graph(e.g. chartoverlays...) is not kept.
Is there anyway I can select different choices from the dropdown and keep the formatting of the graph in question?
Here is a pic of the graph in the correct format( when another option is selected from the dropdown the yellow line effectivly falls to zero as it moves to the primary axis)
A snippet of the XML code the drop down part:
<input type="dropdown" token="token1">
<label>NAME:</label>
<choice value="C01K">C01K</choice>
<choice value="C02K">C02K</choice>
<choice value="C03S">C01S</choice>
<default>C01K</default>
</input>
A snippet of the XML code the panel part:
`
<panel>
<chart>
<title>last 30days _default _column</title>
<searchString> ... search string goes here with $token1$ used to control the search ... </searchString>
<earliestTime/>
<latestTime/>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">1</option>
<option name="charting.axisY2.minimumNumber">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">"maxTput_Mbps_perDay: C01K"</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
`
... View more
04-29-2015
07:17 PM
I prefer fields
table changes the time format to this which dosen't look as good on the x-axis
2015-04-29 14:00:00
using fields it stays as this
2015-04-29 13:00
... View more
04-29-2015
06:48 PM
tks chimell, its not something I fully understand myself yet but here is an explanation I have made from above, it is of any help to you, or at least it is hopefully clear:
it has something to do with my search before I do the timechart
I have ...measInfoId=83888114 OR measInfoId=83888115 | timechart... but the thing is to view this field c84163237 I need to select 83888114 and to view this field c84163338 I need to select 83888115.
But I still would have though the method work on this.
So it seems the counter needs to be from the same measInfoId for it to work
E.G. this will work as c84163237 + c84163241 both fall under measInfoId=83888114
... measInfoId=83888114 OR measInfoId=83888115 duration=* LABEL=RNC01SJH | eval test1=c84163237 + c84163241 | timechart span=h sum(c84163237) sum(c84163338) sum(eval(c84163237 + c84163241)) as Sum_Traffic3 sum(test1)
More explanation:
eval test1=c84163237 + c84163241 - this works
sum(eval(c84163237 + c84163241)) as Sum_Traffic3 - this works
... View more
04-29-2015
06:42 PM
tks jim, that does the trick,
but if I have columns as follows; _time, field1, .... field11, field12 ....
and then I do: fields field11 field12
I get: field11, field12, _time
so to have _time as the leftmost column i have to do: fields _time field11 field12
which must be jsut how it works I guess?
... View more
04-29-2015
05:12 PM
if I have 20 columns on display in the stats tab view after my search, can I just remove the first 10? Instead of having to name all 10 for deletion?
So my search would look something like:
...search... | fields -1-10
Or better still can I delete all but the last 6?
... View more
- Tags:
- fields
04-29-2015
05:04 PM
Going back to the start I have found a somewhat alternative solution taht I touched on earlier:
| timechart span=h sum(c84163237) as sT_IC sum(c84163338) as sT_OG by LABEL | addtotals fieldname=NE1 "*NE1" | addtotals fieldname=NE2 "*NE2" |
explanation:
"*NE1" - search for any columns with this name and add them together and store them in a new column NE1
NE1 - this is the name of the new column you created
This will leave me with alot of columns taht I want and alot that I do not want in the stats tab view. Now I just need to work out how to drop the first N columns.
... View more
04-29-2015
04:32 PM
Sorry but that does not work(the sumTraffic3 column does not appear) and i have many LABELs so there is in fact many columns
... View more
04-29-2015
03:48 PM
it has something to do with my search before I do the timechart
I have ...measInfoId=83888114 OR measInfoId=83888115 | timechart... but the thing is to view this field c84163237 I need to select 83888114 and to view this field c84163338 I need to select 83888115.
But I still would have though the method work on this.
So it seems the counter needs to be from the same measInfoId for it to work
E.G. this will work as c84163237 + c84163241 both fall under measInfoId=83888114
... measInfoId=83888114 OR measInfoId=83888115 duration=* LABEL=RNC01SJH | eval test1=c84163237 + c84163241 | timechart span=h sum(c84163237) sum(c84163338) sum(eval(c84163237 + c84163241)) as Sum_Traffic3 sum(test1)
More explanation:
eval test1=c84163237 + c84163241 - this works
sum(eval(c84163237 + c84163241)) as Sum_Traffic3 - this works
... View more
04-29-2015
03:24 PM
tks...
can i convert them to numeric?
why can do a summate like this stats sum(c84163237) as "seizureTraffic" by userLabel this would sum them all for yesterday?
Why is the problem when I want to sum the 2 c* fields together?
Am a bit confused.
... View more
04-29-2015
01:19 PM
2 Karma
tks but that did not work for me.
However reading here I got this to work
search1 endtime= 03/16/2015:00:00:00 | append [search search2 starttime= 03/16/2015:00:00:00 latest=@d ]
endtime= 03/16/2015:00:00:00 - all data upto midnight on the 15th
03/16/2015:00:00:00 - all data after midnight on the 15th
latest=@d - all data up to midnight yesterday
... View more
