Answers for "Plain histogram of x-axis values over y-axis"
https://answers.splunk.com/answers/545398/plain-histogram-of-x-axis-values-over-y-axis.html
The latest answers for the question "Plain histogram of x-axis values over y-axis"Answer by sideview
https://answers.splunk.com/answering/546354/view.html
I've had this sort of question come up a lot, and I thought maybe I'd give a different kind of answer, in case it was helpful or complementary.
Questions are more or less "I want to just chart the raw values, as points on a screen. Typically a timechart. "
And they come up in two ways:
a) I don't want to bucket the times, and I don't want to think about avg/min/max, because there aren't very many of them! I just want the values on the screen
b) I don't want to bucket the times and/or think about avg/min/max because I want the human eye to see the storm of points as a scatter plot and I think that'll be better than some clever statistic.
And there are a few ways to answer it.
1) OK, you can throw the raw points at the chart, you just have to use no actual transforming command at all!
Here's a good canonical answer
https://answers.splunk.com/answers/211376/how-to-chart-raw-windows-perfmon-values-over-time.html
Con - If your time granularity exceeds (or greatly exceeds) the number of pixels on the screen..... you're not going to have a good time. ie the "storm of points" may just be a weird fuzzy block of noise.
Con - the charting framework doesn't really like to graph tens of, or hundreds of thousands of points. You might now or down the road get some truncation and error messages about truncation.
2) Sometimes the correct answer is to really come back and use some statistical aggregation, and resign yourself to a particular bucketing of the time values. Here's a good, if verbose question that covers this:
https://answers.splunk.com/answers/386217/displaying-average-from-a-timechart.html
3) and there are sometimes other outlier answers, like this one here to use first() as a shoot from the hip heuristic.
https://answers.splunk.com/answers/6216/how-to-plot-values-without-using-max-avg-count.html
but this seems imo pretty problematic and potentially misleading. use with caution.
Kind of sprawling answer. Perhaps not really an "answer" at all and more of a "further reading" post. =)Fri, 09 Jun 2017 19:26:24 GMTsideviewAnswer by DalJeanis
https://answers.splunk.com/answering/544308/view.html
You are rejecting the methods that work. WHY?
You are focused on creating a histogram, which means that for each value of id, there must be a single unique numeric value of pr that constitutes how tall the bar will be.
What, exactly, does the value of pr mean? It must be a number, for the one-dimensional histogram you are asking for to exist.
If pr is not a number, then COUNT is the only aggregate function that makes sense. Use that. (If there are multiple possible values of pr for each id, you could use distinct count also, or you could abandon the single-dimension histogram in favor of something else.)
If pr is a number, and if there is only one event for each value of pr in each value of id, then SUM, MAX, MIN, AVG will all work and will all get the same answer.
If pr is a number, and there are multiple possible events for each combination of pr and id, then you need to decide exactly what you are trying to graph. Figure out the math for "how do I know how tall the bar needs to be?" and then code that into the chart command (or any other command).
----------
On the other hand, if you want to do an x-y plot of various values, try visualizations that are not bar charts. Specifically, try the bubble chart and other x-y plots to see if they meet your need.Fri, 09 Jun 2017 14:39:11 GMTDalJeanisAnswer by twinspop
https://answers.splunk.com/answering/545464/view.html
source="HVR_1 PageRank.csv" id="*" pr="*" | chart last(pr) as pr over id
But as rich7177 points out, this may not be exactly what you want.Fri, 09 Jun 2017 14:37:26 GMTtwinspop