Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

multiple bar charts from one search result table

billself
New Member
‎11-06-2016 07:05 PM

Hi

I have a search that returns a table with 3 columns; the first column is the process name, the second is timestamps (say every 5 minutes for the last 4 hours), the third is the number of items in the queue for that process at that timestamp. I'd like to generate a separate bar chart for each of the processes (there can be 30 or more processes so generate that many small bar charts).

Can this be done or do I need over 30 searches or 30 filters against one search or some-such and genenrate a chart from each of those searches?

Thanks for any help you can give (we have Splunk Enterprise 6.5).

Bill

Tags (1)
0 Karma
Reply

billself
New Member
‎12-14-2016 07:12 PM

Hi

Thanks for your help on this. In the end I used individual queries (mostly the same but '... | search process="process_name" ') for each bar chart on one dashboard. Not ideal but is working well.

Bill

0 Karma
Reply

gokadroid
Motivator
‎11-15-2016 01:51 PM

If you already have fields called process, myTime( 5minutes difference time over last four hours) , queue_item can you not try this and see if that's what you needed:

your query to return the process, myTime and queue_item
| chart count(queue_item) over myTime by process

Choose bar chart as the visualization option.

If the time division is not already done and you need to perform this 5 minute division first so just add earliest=-4h in the first line of search that you perform and later | bucket _time span=5m to divide _time in 5 minutes span to do similar charting further like:

your query to return the process and queue_item earliest=-4h
| bucket _time span=5m
| chart count(queue_item) over _time by process
0 Karma
Reply

Flynt
Splunk Employee
Splunk Employee
‎11-15-2016 01:36 PM

I'd look into http://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/Savedsearches#Post-process_searches where you have a base search that contains your "datacube" or all the results you want. Then define some postprocess searches that filter down to your processes. Afaik, there's no way in simplexml to spawn off multiple visualizations from one result set without postprocess. If there was a way to group the processes, that would cut down on the amount of filters needed, then you could show a bar chart with a group of say 5 processes or what have you.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...