Hi,
As seen in the above image, you can see that visualization chart displays the top values of the field: Source Address.
X-axis displays the source address and Y-axis the count. I also need to include the percent value which is seen in the table( grayed out in the image) in the chart. How can I do that? Main aim is to derive the source address vs percentage use.
Kindly help me on this quickly.
Thanks & Regards,
Sushma.
1 Solution
@muralisushma7, please try the following search. If you are on Splunk 6.6 or higher you can use Trellis Layout to break the timechart by Time.
source="jnpr-syslog" policy_name=Internet_Lab_Policy_Gateway_Logging source
| bin _time span=1d
| stats count as Count by source_address _time
| eventstats sum(Count) as Total by _time
| eval "Count%"=round((Count/Total)*100,2)
| fields - Total
| sort - _time Count
| streamstats count as sno by _time
| search sno<=20
| fields - sno
| eval _time=strftime(_time,"%Y/%m/%d")
| rename _time as Time
| stats last(Count) as Count last("Count%") as "Count%" by Time source_address
| sort - Count
Following is a run anywhere dashboard example based on Splunk's _internal index
Please find the Simple XML dashboard code for example above:
<form>
<label>Timechart with Volume and Percent with Trellis</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<input type="time" token="tokTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<chart>
<title>Daily Top 10 Errors by Component</title>
<search>
<query>index=_internal sourcetype=splunkd log_level!=INFO
| bin _time span=1d
| stats count as Error by component _time
| eventstats sum(Error) as Total by _time
| eval "Error%"=round((Error/Total)*100,2)
| fields - Total
| sort - _time Error
| streamstats count as sno by _time
| search sno<=10
| fields - sno
| eval _time=strftime(_time,"%Y/%m/%d")
| rename _time as Time
| stats last(Error) as Error last("Error%") as "Error%" by Time component
| sort - Error</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">1</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">Error%</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">bottom</option>
<option name="charting.lineWidth">2</option>
<option name="height">600</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">Time</option>
</chart>
</panel>
</row>
</form>
@muralisushma7,
Please try the following run anywhere dashboard. It two options to present Real-time top 10 stats i.e. through Bar Chart and Status Indicator Custom Visualization. Real-time stats is showing just Top 10 Stats and Percent (No Time breakdown as time window is anyways rolling time bucket)
Below the same you can use historical 7 Days data as shared previously. I have added a 10 minute refresh for the Trellis Layout.
Please find below the Simple XML Dashboard Code.
<form>
<label>Timechart with Volume and Percent with Trellis</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<title>Real Time 1 minute window</title>
<input type="time" token="tokRealTime" searchWhenChanged="true">
<label>Select Real Time Window</label>
<default>
<earliest>rt-1m</earliest>
<latest>rt</latest>
</default>
</input>
</panel>
</row>
<row>
<panel>
<chart>
<title>Real-Time Top 10 Bar Chart</title>
<search id="baseRealTimeSplunkdErrorSearch">
<query>index=_internal sourcetype=splunkd log_level="INFO"
| top 10 component
| eval "Error%"=round(percent,1)
| fields - percent
| rename count as Error
| stats last(Error) as Error last("Error%") as "Error%" by component</query>
<earliest>$tokRealTime.earliest$</earliest>
<latest>$tokRealTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">1</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">bar</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">Error%</option>
<option name="charting.chart.showDataLabels">all</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">component</option>
</chart>
</panel>
<panel>
<viz type="status_indicator_app.status_indicator">
<title>Real-Time Top 10 Status Indicator</title>
<search base="baseRealTimeSplunkdErrorSearch">
<query>| eval Error="Error: ".Error." (".'Error%'."%)"
| stats last(Error) as Error by component</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="status_indicator_app.status_indicator.colorBy">static_color</option>
<option name="status_indicator_app.status_indicator.fillTarget">text</option>
<option name="status_indicator_app.status_indicator.fixIcon">warning</option>
<option name="status_indicator_app.status_indicator.icon">fix_icon</option>
<option name="status_indicator_app.status_indicator.precision">0</option>
<option name="status_indicator_app.status_indicator.showOption">3</option>
<option name="status_indicator_app.status_indicator.staticColor">#555</option>
<option name="status_indicator_app.status_indicator.useColors">true</option>
<option name="status_indicator_app.status_indicator.useThousandSeparator">true</option>
<option name="trellis.enabled">1</option>
</viz>
</panel>
</row>
<row>
<panel>
<input type="time" token="tokTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<chart>
<title>Daily Top 10 Errors by Component (Refreshes Every 10 minute)</title>
<search>
<query>index=_internal sourcetype=splunkd log_level=INFO
| bin _time span=1d
| stats count as Error by component _time
| eventstats sum(Error) as Total by _time
| eval "Error%"=round((Error/Total)*100,2)
| fields - Total
| sort - _time Error
| streamstats count as sno by _time
| search sno<=10
| fields - sno
| eval _time=strftime(_time,"%Y/%m/%d")
| rename _time as Time
| stats last(Error) as Error last("Error%") as "Error%" by Time component
| sort - Error</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>10m</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">1</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">Error%</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">bottom</option>
<option name="charting.lineWidth">2</option>
<option name="height">250</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">Time</option>
<option name="height">600</option>
</chart>
</panel>
</row>
</form>
@muralisushma7, please try the following search. If you are on Splunk 6.6 or higher you can use Trellis Layout to break the timechart by Time.
source="jnpr-syslog" policy_name=Internet_Lab_Policy_Gateway_Logging source
| bin _time span=1d
| stats count as Count by source_address _time
| eventstats sum(Count) as Total by _time
| eval "Count%"=round((Count/Total)*100,2)
| fields - Total
| sort - _time Count
| streamstats count as sno by _time
| search sno<=20
| fields - sno
| eval _time=strftime(_time,"%Y/%m/%d")
| rename _time as Time
| stats last(Count) as Count last("Count%") as "Count%" by Time source_address
| sort - Count
Following is a run anywhere dashboard example based on Splunk's _internal index
Please find the Simple XML dashboard code for example above:
<form>
<label>Timechart with Volume and Percent with Trellis</label>
<fieldset submitButton="false"></fieldset>
<row>
<panel>
<input type="time" token="tokTime" searchWhenChanged="true">
<label></label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
<chart>
<title>Daily Top 10 Errors by Component</title>
<search>
<query>index=_internal sourcetype=splunkd log_level!=INFO
| bin _time span=1d
| stats count as Error by component _time
| eventstats sum(Error) as Total by _time
| eval "Error%"=round((Error/Total)*100,2)
| fields - Total
| sort - _time Error
| streamstats count as sno by _time
| search sno<=10
| fields - sno
| eval _time=strftime(_time,"%Y/%m/%d")
| rename _time as Time
| stats last(Error) as Error last("Error%") as "Error%" by Time component
| sort - Error</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-45</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">1</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">Error%</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">bottom</option>
<option name="charting.lineWidth">2</option>
<option name="height">600</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">medium</option>
<option name="trellis.splitBy">Time</option>
</chart>
</panel>
</row>
</form>
