Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Split results from chart

nadeige1
Engager
‎04-15-2021 09:27 AM

Hello,

I am using the chart command in order to display data using a line chart:

| chart values("torque") as variable over sort by HoleNb

 

But I get the following results:

nadeige1_0-1618503870108.png

Therefore, visualisation is not initialized properly. How do I split the results in order to have something like this?

sort2941294529462948295029512952295429552957OTHER
50
2330
2180
2050
2180
2520
1740
2120
2830
2330
2050
1150
50
2890
2700
2700
3230
3290
2770
3360
2890
2520
2830
1210
50          
1280
50          
1340
50          
1400
50          
1490
Labels (1)
Labels
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2021 10:49 AM

Your issue is that chart values has create multi-value fields of different lengths. However, starting from the chart you have created, you could do something like this:

| makeresults 
| eval _raw="sort,2941,2945,2946,2948,2950,2951,2952,2954,2955,2957,OTHER
50,2330,2180,2050,2180,2520,1740,2120,2830,2330,2050,1150
50,2890,2700,2700,3230,3290,2770,3360,2890,2520,2830,1210
50,,,,,,,,,,,1280
50,,,,,,,,,,,1340
50,,,,,,,,,,,1400
50,,,,,,,,,,,1490
60,2335,2185,2055,2185,2525,1745,2125,2835,2335,2055,1155
60,2895,2705,2705,3235,3295,2775,3365,2895,2525,2835,1215
60,,,,,,,,,,,1285
60,,,,,,,,,,,1345
60,,,,,,,,,,,1405
60,,,,,,,,,,,1495"
| multikv forceheader=1
| fields - _* linecount
| untable sort HoleNb Torque
| chart useother=f values(Torque) as Torque by sort HoleNb
``` The above creates a chart similar to yours. I added an extra sort value in case you actually have more than one row. ```


| streamstats count as row 
| foreach * 
    [| eval mvc_<<FIELD>>=mvcount('<<FIELD>>')]
| foreach mvc_*
    [| eval max_rows=if(isnull(max_rows),'<<FIELD>>',if('<<FIELD>>'>max_rows,'<<FIELD>>',max_rows))]
| fields - mvc_*
| streamstats sum(max_rows) as top_row
| append 
    [| makeresults 
    | eval top_row=1
    | eval row=1
    | fields - _time]
| makecontinuous top_row
| sort - top_row
| filldown
| sort row top_row
| streamstats count as mvrow by row
| fields - max_rows row top_row
| foreach *
    [| eval <<FIELD>>=if("<<FIELD>>"!="sort" AND "<<FIELD>>"!="mvrow",mvindex('<<FIELD>>',mvrow-1),'<<FIELD>>')]
| fields - mvrow
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎04-15-2021 10:30 AM

Hi @nadeige1,

Can you try with list function?

| chart list("torque") as variable over sort by HoleNb
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...