Splunk Search

How do I display the content from my search results table in a scatter or D3 chart?

rajgowd1
Communicator

Hi,

I have a search which displays content in a table format. Here is the search and I would like to show them in scatter chart or in D3.
alt text

index=myindex  mess_type=OUT origin=* org_name=* env=* (app_name=cap-demo-test OR app_name=nem-cap-bat OR app_name=nem-cap-pag) | eval newmsg="UPDATE" | rex field=fullmsg "(?CRASHED|STARTED|STOPPED)" | table app_name, time, source_instance, newmsg | sort app_name, time, source_instance, newmsg
0 Karma
1 Solution

dbcase
Motivator

Hmmmm well a couple of thoughts

Have you tried formatting the timechart as a multi-series? This way each series is on a chart of it's own. Might be easier to understand that way.

Another option would be to try a Horizon Chart (its a Splunkbase add on - https://splunkbase.splunk.com/app/3117/)

What is it in particular that the manager doesn't understand?

View solution in original post

dbcase
Motivator

Hmmmm well a couple of thoughts

Have you tried formatting the timechart as a multi-series? This way each series is on a chart of it's own. Might be easier to understand that way.

Another option would be to try a Horizon Chart (its a Splunkbase add on - https://splunkbase.splunk.com/app/3117/)

What is it in particular that the manager doesn't understand?

rajgowd1
Communicator

HI,thanks for your response.
i tried multi-series.its better now.

and i tried Horizon chart but they were using search something like timechart useother="f" span=1d limit=10 latest(open) by ticker_symbol

but i am not sure how can i write my query to fit into horizon chart.

0 Karma

dbcase
Motivator

Yea that is one limitation of the Horizon chart, it will only graph 10 Y axis values.

Glad to hear multi-series helped!!!

0 Karma

rajgowd1
Communicator

thank you.i do not see accept button.
where can i accept this answer?

0 Karma

dbcase
Motivator

Just converted it to an answer

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi rajgowd1,
the best way to do what you want is to download and install the Splunk 6.x dashboard Examples App (https://splunkbase.splunk.com/app/1603/), in which is fully described with an example how to create a scatter chart.
Bye.
Giuseppe

0 Karma

rajgowd1
Communicator

Hi,
i gone through the dashboard examples but it does'not have the chart like i mentioned in my question.

is there a way we can show time in x-axis and state in y-axis?

0 Karma

dbcase
Motivator

Would using timechart work?

0 Karma

rajgowd1
Communicator

HI,
here is the data i am displaying in table format.i can use timechart but it is not giving all below 4 fields in chart(any) format.

can we represent below table in any kind of chart?

app_name time source_instance newmsg
ccp-demo-test 2016-12-24T22:33:17Z 1 STOPPED
ccp-demo-test 2016-12-24T22:33:18Z 0 STARTED
ccp-demo-test 2016-12-25T17:48:03Z 1 STOPPED
ccp-demo-test 2016-12-25T17:48:04Z 2 STARTED
ccp-demo-test 2016-12-27T16:19:07Z 2 STOPPED

0 Karma

dbcase
Motivator

What if you concatenated the four fields (or a subset)?

i.e.

eval variable1=field1." - ".field2

and then used variable1 as the group by with the timechart

i.e.

your search | timechart count by variable1

Would something like that work?

0 Karma

rajgowd1
Communicator

HI,
it works and i understand but higher manager doesn't understand this representation.

is there any alternate way to represent

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...