There are 5 rows of data in the table. I want to display these 5 rows of data a line chart.
There are 4 fields, field 1 for time, field 2 for host ID, field 3 for metric type, field 4 for numeric value.
I want to show the usage rate and memory usage of CPU in a picture, using the way of polygon graph.
Excuse me, how to realize
Try
"your search to return the fields"| stats max(numerical_value) by _time,host_ID,metric_type
and select "line" visualization
e.g
<dashboard>
<label>TEST</label>
<row>
<panel>
<chart>
<search>
<query>index=_introspection sourcetype=splunk_resource_usage data.pct_cpu=*|table _time,data.process,sourcetype,data.pct_cpu
|stats max(data.pct_cpu) by _time,data.process,sourcetype</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
</chart>
</panel>
</row>
</dashboard>
@flzhang132 while your actual requirement would only be clear only after you can provide more details on the type of output you want.
Do check out the following answers which talks about two options i.e. to use Event Annotations available from Splunk Enterprise 7.0 onward or else to add details to Tooltip text using answer by @jeffland
https://answers.splunk.com/answers/613705/using-dashboard-for-presentation.html
Try
"your search to return the fields"| stats max(numerical_value) by _time,host_ID,metric_type
and select "line" visualization
e.g
<dashboard>
<label>TEST</label>
<row>
<panel>
<chart>
<search>
<query>index=_introspection sourcetype=splunk_resource_usage data.pct_cpu=*|table _time,data.process,sourcetype,data.pct_cpu
|stats max(data.pct_cpu) by _time,data.process,sourcetype</query>
<earliest>-15m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">all</option>
</chart>
</panel>
</row>
</dashboard>
I want to display these 5 rows of data a line chart. and can not used a aggregate function (ex. max)
if those 5 lines are unique by time and other fields, you still get those values irrespective of the aggregation function. Instead of max, you could use `values