The values are already there in the label.
If the fieldnames are service_foo, host_name and count, and the values are service1, host1 and 23, then the label is showing
service_foo: service1
host1: 23
As far as _time, it doesn't exist in the query at that point.
So, for purposes of discussion, here's a query that generates random counts of events across a time period for 4 hosts in 3 different "services"
| gentimes start="01/25/2017:23:00:00" end="01/27/2017:01:00:00" increment=23m
| streamstats count as baseEvent | eval series="A"
| append[| gentimes start="01/26/2017:03:00:00" end="01/26/2017:21:00:00" increment=47m | streamstats count as baseEvent | eval series="B"]
| append[| gentimes start="01/26/2017:01:17:00" end="01/26/2017:23:18:00" increment=21m | streamstats count as baseEvent | eval series="C"]
| eval rand1 = random()
| eval adder1 = tonumber(substr(tostring(rand1),1,4))
| eval adder2 = tonumber(substr(tostring(rand1),max(len(rand1)-4,3),4))
| eval sometimes=mvappend(tostring(starttime),tostring(starttime+adder1),tostring(starttime+adder2))
| mvexpand sometimes
| eval _time=sometimes
| eval rand2 = random()
| eval value=substr(rand2,len(rand2)-2,2)
| eval rand3 = random()
| eval host = case(rand3>1800000000,"Host1",rand3>1200000000,"Host2",rand3>600000000,"Host3",true(),"Host4")
| bin _time span=15m
| stats count as eventcount, sum(value) as sumvalue by _time host series
| rename series as service_foo, host as host_name, sumvalue as count
| table _time, service_foo, host_name, count
Everyone can drop that into your current xyseries command like so:
| xyseries service_foo, host_name, count
can you provide syntax/current visualization?
Is it possible to get answer for this?
try | xyseries service_foo host_name value
the last field in an xyseries is supposed to be the value being charted.
If that doesn't work, we might need more information. what data looks like before and after the xyseries. that command is finicky.
if we need to show 4 or more value in lable means, how can I?
this is for host cpu utilization. Need to show Process %, host name,application running and counts, time.
this is for host cpu utilization. Need to show Process %, host name,application running and counts, time, while placing the pointer in bar chart
You can merge two fields into 1 using string concatenation in some and use that field for charting so that the label of concatenated field show 2 label values. Need full, actual search to give more accurate suggestions.
how to show five values individual in label in visualization of splunk
you can just eval as many fields together as you need:
|eval label=field1+"-"+field2+"-"+field3+"-"+.......|stats count by label
just as an example would give you the count for every label that had all these random fields concatenated together.
I have to show additional 2 values and filed name in label apart from x and y values in bar chat.
index.foo host="foo" |.... eval foo...| xyseries service_foo host_name count.....
In this above query, I can see two field values in bar chart (labels)..look like
1.Service_foo : value
2. host_name: count's value & Host_name are showing in legend.
But I need all three value with field name in label while pointing the specific bar in bar chart. its should be like
1. Service_foo: value,
2. count : value,
3.host_name:value.
how to come up with above three value in label in bar chart.
Would it be possible for you to provide sample values for the three fields i.e.
service_foo host_name count