Splunk Search

Bubble Graph percentage X axis trouble.

Cuyose
Builder

I have a graph where everything looks visually correct; however, the numbers are all off. In the example below the x axis is supposed to represent a %, so 0-100 is all that should be possible. I've gone through a ton of iterations and this is one that graphically looks fine, but numbers don't work. X axis goes to over 200, and when you hover over the bubbles, the value that normally would be taken from the x axis and displayed is blank(3rd data row down when hover over in bubble chart)

index=app sourcetype=type host=host  Action=* ID=* LOCATION=* ROLE=* 
|eval Duration=DurationTotal/1000  
|transaction ID startswith=EndCall  maxspan=1h maxpause=15m eventcount
|eval percent=(Duration/duration)
|stats dc(Action) as dActions, sum(eventcount) as eventcounts, sum(duration) as calldurations,avg(percent) as PercentInApp by ID LOCATION ROLE|where dActions>3
|stats  avg(PercentInApp) as PercentInApp ,avg(calldurations) as AverageCallDuration, c as TotalCalls  by LOCATION ROLE
|eval PercentInApp=round(PercentInApp*100,2)

I swear I had this working fine earlier, but lost the query and had to restart. How can I get the bubbles on the X axis to represent the PercentInApp correctly?

0 Karma
1 Solution

Cuyose
Builder

OK, figured it out. Hope this may help someone else. I've kinda been on a bubble chart kick lately. Been remembering the cadence. Its all driven on the last stats command.
1st stat is x axis, 2nd is y axis, 3rd is bubble size (should be count or integer), then the 1st by clause is just a label in the hover-over (no visual representation in the graph), second by clause is the legend and will make different color bubbles. If you only have one "by" clause all bubbles will be the same color and there will be a "null" legend.

index=app sourcetype=type host=host  Action=* ID=* LOCATION=* ROLE=* 
    |eval Duration=DurationTotal/1000  
    |transaction ID startswith=EndCall  maxspan=1h maxpause=15m eventcount
    |stats dc(Action) as dActions,  sum(duration) as calldurations,sum(Duration) as appduration by ID LOCATION ROLE|where dActions>3
    |eval percentapp=round(appduration/calldurations*100,0)
    |stats  avg(percentapp) as PercentInApp,avg(calldurations) as AverageCallDuration, c as TotalCalls  by LOCATION ROLE

View solution in original post

0 Karma

Cuyose
Builder

OK, figured it out. Hope this may help someone else. I've kinda been on a bubble chart kick lately. Been remembering the cadence. Its all driven on the last stats command.
1st stat is x axis, 2nd is y axis, 3rd is bubble size (should be count or integer), then the 1st by clause is just a label in the hover-over (no visual representation in the graph), second by clause is the legend and will make different color bubbles. If you only have one "by" clause all bubbles will be the same color and there will be a "null" legend.

index=app sourcetype=type host=host  Action=* ID=* LOCATION=* ROLE=* 
    |eval Duration=DurationTotal/1000  
    |transaction ID startswith=EndCall  maxspan=1h maxpause=15m eventcount
    |stats dc(Action) as dActions,  sum(duration) as calldurations,sum(Duration) as appduration by ID LOCATION ROLE|where dActions>3
    |eval percentapp=round(appduration/calldurations*100,0)
    |stats  avg(percentapp) as PercentInApp,avg(calldurations) as AverageCallDuration, c as TotalCalls  by LOCATION ROLE
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...