Splunk Search

How to display column chart based on events count and display events size in bytes, KB, MB, and GB?

rajgowd1
Communicator

Hi,
i would like to display column chart based on events count and display events size in bytes,KB,MB and GB

if events<1000 ---> display count and size in bytes
if events between 1000 to 10000 ---> display count and size in KB
if events between 10000 to 100000 ----> display count and size in MB
if events between >100000 ----> display count and size in GB

currently i am using below search to get count and size in KB's

index=myindex |eval esize=len(_raw) |timechart span=1m count as Count, sum(esize) as "EventsSize" | eval kb=EventsSize/1024 | fields - EventsSize
0 Karma

dbcase
Motivator

You can also put each value on a separate axis or use a horizon chart

0 Karma

woodcock
Esteemed Legend

The best way to handle this is to edit your visualization, click on the Format (the pen/paintbrush icon), click on the Y-Axis tab, then the Log button in the Scale control. This will ensure that the smaller amounts on the view are not dwarfed to a flat line by the bigger values.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you change the scale (by converting bytes to kb/mb/gb), the size of columns would not look realistic. (e.g. 900 bytes would be much higher than 55 kb, but in reality 55kb is bigger).

0 Karma

rajgowd1
Communicator

hi,
thank you.
when i was trying to display events for timerange 2 hours
if i have a events count like 100000 and if i count the sum of these events in bytes,size is coming as a big number,when i display events count and size in column chart,i always see size chart because event size is big.

so i was thinking based on events count,may be we can display size of total events

0 Karma

somesoni2
SplunkTrust
SplunkTrust

In that case, you should use chart overlay feature so that you can show two series (event count and event size) in single graph but both can use separate y-axis. See this for more information on the same.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Viz/Chartcontrols#Chart_overlay_example_.28dual_a...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...