Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Limiting high numbers

RobertRi
Communicator
‎12-12-2014 02:11 AM

Hi

I have a timechart with integers, every minutes. Normaly, the value of the integers are between 1 and 120.
Sometimes it happens that a value can be over 500. In this case of failure, I would like to set the high value to 120 and would like to highlight it in a different color.

Is this possible with splunk with the default search tools?

Thanks for your tips
Rob

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aweitzman
Motivator
‎12-12-2014 07:53 AM

It doesn't appear that you can control the color of the resulting chart using just the search language - you'll have to create a dashboard panel to do that. However, here's how you can get the chart you want:

...your timechart search...
| eval green=if(count<=120,count,0) 
| eval red=if(count>120,120,0) 
| fields - count

If you do this and format your chart to be a stacked bar chart, you'll see that the "red" ones (whatever color they end up being) are capped at 120 and a different color than the "green" ones. But they won't actually be red and green - again, you'll need to turn this into a dashboard panel and modify it to get those specific colors.

View solution in original post

Reply
Solved! Jump to solution
Solution

aweitzman
Motivator
‎12-12-2014 07:53 AM

It doesn't appear that you can control the color of the resulting chart using just the search language - you'll have to create a dashboard panel to do that. However, here's how you can get the chart you want:

...your timechart search...
| eval green=if(count<=120,count,0) 
| eval red=if(count>120,120,0) 
| fields - count

If you do this and format your chart to be a stacked bar chart, you'll see that the "red" ones (whatever color they end up being) are capped at 120 and a different color than the "green" ones. But they won't actually be red and green - again, you'll need to turn this into a dashboard panel and modify it to get those specific colors.

Reply
Solved! Jump to solution

RobertRi
Communicator
‎12-15-2014 03:35 AM

Ok thanks that helps

Regards
Rob

Reply
Solved! Jump to solution

RobertRi
Communicator
‎12-12-2014 04:26 AM

Hi Stephane

Thank you for taking the time to help.

This command is the same like 

mysearch | search fieldname <=120

The problem here is, that the high numbers above 120 are disappeared and there are little gaps in the timeline,
which can't be seen easily i the report.

So I decide to show it as the highest possible number (120) in the report, that we see, attention here are potential failures.

If I could color this bar with 120 in a different color, this would be great.

Thank you
Rob

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎12-12-2014 04:10 AM

To limit high number at 120 as you want you can use eval commande like this:

yourSearch.....|eval FieldName=FieldName|where FieldName<=120

where FieldName is the field that content your integer values

0 Karma
Reply
Solved! Jump to solution

stephane_cyrill
Builder
‎12-12-2014 02:36 AM

hi,i'm seeing what i can do for you

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...