Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Bubble Charts input data structure [lacking do...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the latest docs, this is the simplest prerequisite to build a bubble chart,
"1. A single series structure that contains 3 columns. The first column (column 0) contains the values to be plotted on the x-axis. The second column (column 1) contains the values to be plotted on the y-axis. And the third column (column 2) contains the values to be plotted on the z-axis."
then why does the bubble chart fail to draw anything
(it originally was charting some nonsense bubbles when I was incorrectly feeding the _time field to the y axis)
when I build a search which feeds it the following table?
_time category count
7/4/12 1:00:00.291 PM TIMEOUT 10
7/4/12 4:00:00.294 PM HIT_MAX_REQ_LIMIT 3
7/4/12 1:00:00.296 PM ORA_EXCEPTIONS 1
7/4/12 4:00:00.296 PM ORA_EXCEPTIONS 0
7/4/12 1:00:00.300 PM HIT_MAX_REQ_LIMIT 2
7/4/12 4:00:00.291 PM HIT_MAX_REQ_LIMIT 1
This is my simple XML content,
<option name="charting.chart">bubble</option>
<earliestTime>-48h@h</earliestTime>
<latestTime>now</latestTime>
How should I use them ?
Splunk devs, please further improve the bubble charts documentation with an example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've consulted Splunk's expert on chart visualization issues and as it turns out when you've selected the "bubble" chart type in simple XML, Splunk will by default expect the y-axis to be a numeric value. This is (probably) why you're running into trouble.
You should be able to override this by changing the y-axis parameter in the simple XML for the chart. Try adding this line to the bubble chart XML and see if it doesn't solve your problem:
<option name="charting.axisY">category</option>
If it does I'll get the docs updated so they make this issue more clear.
(Note: The use of "category" here is not a reference to your "category" field, but rather an indication that you want the y-axis to display categorical values--strings, as opposed to numbers or timestamps. For more info see the topic on charting library axis parameters.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've consulted Splunk's expert on chart visualization issues and as it turns out when you've selected the "bubble" chart type in simple XML, Splunk will by default expect the y-axis to be a numeric value. This is (probably) why you're running into trouble.
You should be able to override this by changing the y-axis parameter in the simple XML for the chart. Try adding this line to the bubble chart XML and see if it doesn't solve your problem:
<option name="charting.axisY">category</option>
If it does I'll get the docs updated so they make this issue more clear.
(Note: The use of "category" here is not a reference to your "category" field, but rather an indication that you want the y-axis to display categorical values--strings, as opposed to numbers or timestamps. For more info see the topic on charting library axis parameters.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The bubbles are the same color because you've set this up as a single series bubble chart. To get different colors, you'd need to configure the chart to handle multiple series. This would utilize a four-column table, where the first column would be the series (in your case, most likely the "category" field), and then the other three would be the x, y, and z axes respectively.
I'll look into the zero value issue.
Have you considered going with a stacked column chart instead? It seems like that would do a better job of expressing what you're trying to express here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also,
I expected a bubble to not be charted when the y axis value has a corresponding z axis 0 value.
I tried both the following lines but the 0 value bubbles kept being drawn,
0
false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mattness,
category
did indeed get the bubble chart closer to what I need.
https://dl.dropbox.com/u/927023/bubble2.PNG
However, why are all the bubbles the same color (when there are several diferent y axis metrics)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do appreciate it. Thank you.
I will try it tomorrow as soon as I arrive to work.
Could you please take a look in my initial question http://splunk-base.splunk.com/answers/52300/search-generate-a-time-causes-count-collums-table and clarify if I indeed need to transform the data (or if there is a simpler way) into the aforementioned table ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the record,
this doubt is related to my initial question,
http://splunk-base.splunk.com/answers/52300/search-generate-a-time-causes-count-collums-table
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
