@ITWhisperer thanks for your reply. You have definitely put me on the right path. My original data has more ID and attribute fields, so I needed to find a way to generalize your solution further. I had a bit of a struggle to understand why you chose these particular three eventstats lines with their respective values(...) and by ... clauses. I believe a more generic recipe would be like this: If you have n ID fields and k attribute fields, do one eventstats ... by ID for each of the n ID fields: | eventstats values(ID_2) as ID_2, .., values(ID_n) as ID_n, values(attr_1) as attr_1, .., values(attr_k) as attr_k by ID_1 | eventstats values(ID_1) as ID_1, values(ID_3) as ID_3, .., values(ID_n) as ID_n, values(attr_1) as attr_1, .., values(attr_k) as attr_k by ID_2 | eventstats .. by ID_3 | eventstats .. by ID_n-1 | eventstats values(ID_1) as ID_1, .., values(ID_n-1) as ID_n-1, values(attr_1) as attr_1, .., values(attr_k) as attr_k by ID_n   The subsequent mvexpand and streamtstats count ... where count==1 can be simplified as: | fillnull value="N/A" ```or stats by fieldlist ignores rows with at least one null value in fieldlist``` | stats count by ID_1, ..., ID_n, attr_1, ..., attr_k | fields - count | foreach * [ | eval <<FIELD>>=if(<<FIELD>>=="N/A",null(),<<FIELD>>) ] ```undo the N/A replacement``` This stanza even expands possible multivalues in all of the n attributes - otherwise each attribute field with potential multivalues would need its own explicit mvexpand <attr> . It also avoids mvexpand's potential memory issue.   For my own sample data, it would read: | makeresults | eval _raw="ID_A;ID_B;X1;X2 A1;B1;X1_1;X2_1 A2;B2;X1_2A;X2_2 A2;B2;X1_2B;X2_2 A3;B3;X1_3;X2_3 " | multikv forceheader=1 | table ID_A, ID_B, X1, X2 | append [ | makeresults | eval _raw="ID_A;ID_B;Y1;Y2 A2;B2;Y1_2; A2;B2;;Y2_2 A3;B3;;Y2_3A A3;B3;;Y2_3B A4;B4;Y1_4;Y2_4 " | multikv forceheader=1 | table ID_A, ID_B, Y1, Y2 ] | append [ | makeresults | eval _raw="ID_B;ID_C;Z1 B1;C1;Z1_1 B3;C3;Z1_3 B5;C5;Z1_5 " | multikv forceheader=1 | table ID_B, ID_C, Z1 ] | table ID_A, ID_B, ID_C, X1, X2, Y1, Y2, Z1 ```--- relevant code starts here ---``` | eventstats values(ID_B) as ID_B, values(ID_C) as ID_C, values(X1) as X1, values(X2) as X2, values(Y1) as Y1, values(Y2) as Y2, values(Z1) as Z1 by ID_A | eventstats values(ID_A) as ID_A, values(ID_C) as ID_C, values(X1) as X1, values(X2) as X2, values(Y1) as Y1, values(Y2) as Y2, values(Z1) as Z1 by ID_B | eventstats values(ID_A) as ID_A, values(ID_B) as ID_B, values(X1) as X1, values(X2) as X2, values(Y1) as Y1, values(Y2) as Y2, values(Z1) as Z1 by ID_C | fillnull value="N/A" ```or stats by fieldlist ignores rows with at least one null value in fieldlist``` | stats count by ID_A, ID_B, ID_C, X1, X2, Y1, Y2, Z1 | fields - count | foreach * [ | eval <<FIELD>>=if(<<FIELD>>=="N/A",null(),<<FIELD>>) ] ```undo the N/A replacement```   Please let me know if I have overlooked something. ... View more

Small correction: In the result table, rows 4 and 5, ID_C should be "C3" (from table Z). ... View more

Above Link (https://answers.splunk.com/answers/52850/plotting-text-values-on-y-axis.html) does not work for me. Has this question ever been answered? I am also looking for a way to show words (enumerations) on the Y-axis ticks. Such as state descriptors "-1=unknown, 0=off, 1=reduced_mode, 2=on" etc. ... View more

Yes, I also had that idea: So, calculate log(analog_value)  and plot that a linear Y axis? While that produces a proper visual, you can't read the value of analog_value any more (only it's log). But the illegibility of the true values still bothers me, which is why I was hoping for an even more perfect solution, somehow... Maybe there is none. ... View more

Thank you @bowesmana for your comprehensive reply and example! It works fine - but unfortunately it still doesn't get the logarithmic scale on the overlay right. While setting  <option name="charting.axisY2.scale">log</option> does not yield any validation error, it simply doesn't work as expected. Your example image also shows a linear secondary Y axis. When editing this dashboard in the graphical editor, I get an error when I try to change the Y axis to logarithmic. Maybe there is just no possible way in Splunk to do what I want to do? ... View more

Hi @spavin , thank you very much - that works! Great help! Just a small addition: I think we can even skip the 'foreach' command and simply write | eval values = json_extract_exact(ips, keys) ...because at this point after the 'mvexpand', 'keys' only contains a single key. ... View more

@VatsalJagani Thanks, it works now. I must have made some stupid typo before, but the idea was there at least... However: This solution only works if the value (for nodes) and linkText follow distinct patterns, which makes them somehow distinguishable, e.g. using regex. Is there a solution that works for any value and linkText values? ... View more