Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Under Visualization I am getting the name and not value

palisetty
Communicator
‎12-25-2019 01:15 AM

Hello,
Under Visualization, I am getting the name and not value. Here is the query.

index="main" host="web_application" status="200" file="success.do" 
| stats sum(Price) as Revenue by ProductName
| sort - Revenue

I used Automatic Lookup.

Tags (1)
Reply

woodcock
Esteemed Legend
‎12-26-2019 12:33 PM

Never use sort without a number; try this:

index="main" AND host="web_application" AND status="200" AND file="success.do"
| stats sum(Price) AS Revenue BY ProductName
| sort 0 - Revenue

| rename Revenue AS Sales
| eval Revenue="WebSales"
| xyseries Revenue ProductName Sales
Reply

mydog8it
Builder
‎12-26-2019 06:46 AM

When you run the search, what do you see on the statistics tab? Does it look like a spreadsheet with the data you wish to see in a visualization or does it display incorrect data? What visualization are you trying to use on the results?

Reply

palisetty
Communicator
‎12-26-2019 08:19 AM

I think I figured it out. The reason it is coming as a string because I am using clause 'by ProductName'. So it is showing as top Product Name value from the column. If it is some numerical value I would have got some number. If I am wrong please feel free to correct me.
Thank you for trying to help me out.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-26-2019 08:54 AM

Hi @palisetty,
let me understand:

  • in your lookup you have two columns, ProductName and Price, the first is a string, the second a number;
  • in your data you have ProductName and, using the automatic lookup, you have the value of the Price;
  • so you want to sum al the Prices for all the events grouped by ProductName;

is it correct?

If this is your need (as I said):

  • disable the automatic lookup,
  • check the lookup contents,
  • check if the lookup runs with your search results.

At this point (if you like) you can again enable your automatic lookup.

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-25-2019 01:26 AM

Hi @palisetty,
could you better describe what are the result you have and the result you want?
Are Price and ProductName in you data or do you take from the lookup? what's the lookup search?
To debug it, you could disable the automatic lookup and manually use it.

Ciao and Merry Christmas.
Giuseppe

Reply

palisetty
Communicator
‎12-25-2019 04:20 AM

Hi Sir,
Merry Christmas. Thank you for taking time and helping others even on a holiday.

I am looking for the highest Revenue value to be displayed, not the ProductName. Price and ProductName are from Lookup.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-25-2019 11:42 PM

Hi @palisetty,
as I said, the best approach is to disable the automatic lookup and manually use the lookup to understand if there's some problem on it:

  • If it runs when manually, the problem is on the automatic lookup creation;
  • If if doesn't run when manually the problem is on the data in lookup.

I don't like automatic lookups because they bring problems in debugging and understanding search logic!

Anyway at first, check the field names between search results and lookup that must be the same (field names are case sensitive!).

Ciao.
Giuseppe

Reply

palisetty
Communicator
‎12-26-2019 12:17 AM

Thank you Sir. I am actually learning Splunk. I will do as you said

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...