I have a field with a small set of possible text values.
I'd like to plot the value of that field over time.
As a first pass I used eval to convert the text values to numerical values. Then I was messing around with changing the labels when I saw on this documentation page: http://www.splunk.com/base/Documentation/4.1.7/Developer/CustomChartingConfig-AxisGrid#categoryaxes
That there was a "category" chart type. I'm curious how that sort of chart works and if I can use it to graph a string-state value.
eg:
Y-Axis values:
X-Axis values:
I gave it a try, but it didn't seem to work. Does it work this way? Am I reading too much into the option?
Sounds like you're trying to chart OVER distinct values, use something like this. | chart max(delay) over foo by bar
Also I have another one that is either True or False. I'd like to be able to plot a square wave for the data toggling back and forth, and I'd like it to be obvious that a "0" is 'true' and a "1" is 'false'.
The way I was doing it with eval, green = 0, yellow = 1, amber = 2, red = 3. Then I was timecharting max(color) for the timespan bins. However the y-axis was labeled with numbers and I'd rather have the color names there. So I was hoping I could use a category chart and skip the eval step, and graph every event (rather than bucketing the events in windows). The events aren't very frequent, so my data density is low.
Not sure I understand what the y-axis is. how would you chart "red" on an axis and distinguish it from "green". Is there a corresponding number or range that means "red", or do you want to chart the count of "red" values, "green" values, etc.?