Draw chart dynamically based on search results

dyuen · ‎03-16-2018

Hi,

I am trying to gather a list of names and count each Name's success or fail, so I have a query like the following:

.... | stats count by Name, isSuccess

but I only want to the top 5 Names, in terms of count(i.e. regardless of isSuccess) and then graph each Name on a separate panel(e.g. a pie chart to see their ratio of isSuccess). Is this possible?

niketn · ‎03-17-2018

@dyuen, Following is a run anywhere dashboard based on Splunk's _internal index which gets top 5 components in first panel (using Tag Cloud visualization). In the second panel it displays the Pie chart of Successful Count over Total using Trellis.

Following is the Simple XML code.

<form>
  <label>Top 5 Names and their success</label>
  <fieldset submitButton="false"></fieldset>
  <row>
    <panel>
      <input type="time" token="tokTime" searchWhenChanged="true">
        <label></label>
        <default>
          <earliest>-1d@d</earliest>
          <latest>@d</latest>
        </default>
      </input>
      <viz type="simple_xml_examples.tagcloud">
        <title>Top Components</title>
        <search>
          <query>index=_internal sourcetype=splunkd log_level="*"
| top 5 component</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
        <option name="height">80</option>
        <option name="simple_xml_examples.tagcloud.labelField">component</option>
        <option name="simple_xml_examples.tagcloud.maxFontSize">20</option>
        <option name="simple_xml_examples.tagcloud.minFontSize">10</option>
        <option name="simple_xml_examples.tagcloud.valueField">count</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Top Component Success Ratio Pie Chart</title>
        <search>
          <query>index=_internal sourcetype=splunkd log_level="*" 
    [ search index=_internal sourcetype=splunkd log_level="*" earliest="$tokTime.earliest$" latest="$tokTime.latest$" 
    | top 5 component 
    | table component ] 
| eval isSuccess=if(log_level="INFO","Success","Fail") 
| stats count by component isSuccess</query>
          <earliest>$tokTime.earliest$</earliest>
          <latest>$tokTime.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">collapsed</option>
        <option name="charting.axisTitleY.visibility">collapsed</option>
        <option name="charting.axisTitleY2.visibility">collapsed</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">none</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">small</option>
        <option name="trellis.splitBy">component</option>
      </chart>
    </panel>
  </row>
</form>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎03-20-2018

@dyuen, if this answer has helped, please accept the answer to mark this question as answered. 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

dyuen · ‎03-20-2018

Thanks @niketnilay,
The trellis layout you shown in the example is exactly what I needed!
The documentation is in https://docs.splunk.com/Documentation/Splunk/6.6.6/Viz/VisualizationTrellis

Draw chart dynamically based on search results

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms