- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Constants in Splunk Bar Graph Charts
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a query like this - which charts the number of grapes and pears in a fruit cart
sourcetype="fruitlog" type="pear" OR type="grape" | eval InStock=10 | chart first(InStock) as InStock,count(eval(type="pear")) AS numPears, count(eval(type="grape")) AS numGrapes
The InStock amount is the total number of fruits that is UNRELATED to the number of Pears and Grapes.
When I put this up on a dashboard, NO bar appears for the InStock Value of 10. I see numPears and I see numGrapes.
Any ideas so as to why this CONSTANT value would not display on a chart ? It might sound stupid to even have it there, but I need for it to show for comparison.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this to the end of your search
| transpose | rename "row 1" as count
The trick is to get your data in multiple rows, not across multiple columns.
You can also replace 'chart' with 'stats'
A neater search might be
sourcetype="fruitlog" type="pear" OR type="grape"
| stats count by type
| appendpipe [ head 1 | eval type="InStock" | eval count=10 | fields type count ]
The 1st 2 lines gets the count per type (which will graph as-is)
the last line just spoofs an entry for InStock
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add this to the end of your search
| transpose | rename "row 1" as count
The trick is to get your data in multiple rows, not across multiple columns.
You can also replace 'chart' with 'stats'
A neater search might be
sourcetype="fruitlog" type="pear" OR type="grape"
| stats count by type
| appendpipe [ head 1 | eval type="InStock" | eval count=10 | fields type count ]
The 1st 2 lines gets the count per type (which will graph as-is)
the last line just spoofs an entry for InStock
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah - i don't have your data, but this seems to be similar to what you're using :
index=_internal | eval instock=10 | stats first(instock) as instock count(eval(group=="pipeline")) as pipe count(eval(group=="queue")) as queue | transpose | rename "row 1" as count`
or
index=_internal group="pipeline" OR group="queue" | stats count by group | appendpipe [ head 1 | eval group="InStock" | eval count=10 | fields group count ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype="fruitlog" type="pear" OR type="grape" | eval InStock=10 | chart first(InStock) as InStock,count(eval(type="pear")) AS numPears, count(eval(type="grape")) AS numGrapes | transpose | rename "row 1" as count ???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not that it's a constant, it's that your search will generate one row with multiple columns and the first column will be the one used by the bar chart for the Y-axis label. Try removing the first part of your chart command and you'll see that numPears will disappear from the bar chart and instead be used as a label.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, how would you recommend I frame my search.
A timechart is not desired here but just a chart.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
