Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can we get the scatter chart mentioned in http://www.splunk.com/view/SP-CAAACGB to work?

user21041983
Explorer
‎06-23-2015 05:13 AM

How can we get the scatter chart mentioned in the link http://www.splunk.com/view/SP-CAAACGB to work?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎06-23-2015 05:35 AM

Best way is to download "simple_xml_examples" app which has got a working version of "Scatter chart"

The core logic is something like below: 

  <chart>
    <title>HTTP 2xx Success Response</title>
    <searchPostProcess>| where (status) >= 200 and (status) < 300</searchPostProcess>
    <option name="charting.chart">scatter</option>
  </chart>

View solution in original post

Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎06-23-2015 05:35 AM

Best way is to download "simple_xml_examples" app which has got a working version of "Scatter chart"

The core logic is something like below: 

  <chart>
    <title>HTTP 2xx Success Response</title>
    <searchPostProcess>| where (status) >= 200 and (status) < 300</searchPostProcess>
    <option name="charting.chart">scatter</option>
  </chart>
Reply
Solved! Jump to solution

user21041983
Explorer
‎07-01-2015 01:21 AM

Can you guide me specifically to scatter/bubble examples that are plotted against time?

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎07-01-2015 02:30 AM

The sample in above app shows scatter plotted against time where time is "date_hour". You could change the X axis interval to "1" to have it on hourly basis. Also note, Splunk Scatter chart can have 1000 data points max.
index = _internal | stats count, mode(status) by method, status, date_hour | where (status) >= 200 and (status) < 300

The same goes for bubble chart as well is also shown with "date_hour" as X axis.
index = _internal sourcetype=splunkd_access | stats count sum(bytes) as "Total Bytes" by status, date_hour | table status date_hour count "Total Bytes"

There are some complicated examples to use _time, but it is much easier to use date_hour

0 Karma
Reply
Solved! Jump to solution

user21041983
Explorer
‎07-01-2015 02:58 AM

Thanks for the quick response. Howover, my use case requires the monthly/date context preserved. Finding it hard to crack! Did not find anything specific on the link provided. Is there something specific there you pointed out?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...