Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Chart Multiple (4) Fields

arielpconsolaci
Path Finder
‎06-22-2017 09:18 PM

Is it possible to create a chart out of 4 fields in Splunk?
I am trying to create a chart shown below but I was only able to using 3 fields (without the status). My given data have 4 fields. Any suggestions to this? Thanks in advance.alt text

Preview file
1 KB
0 Karma
Reply

cmerriman
Super Champion
‎06-23-2017 04:49 AM

what version of splunk are you currently running? if you are on 6.6, i would recommend the new Trellis feature for this. 

| makeresults |eval data="_time=1498217650,component=A,status=running,no=10 _time=1498217651,component=A,status=running,no=20 _time=1498217652,component=A,status=offline,no=10 _time=1498217653,component=A,status=online,no=30 _time=1498217650,component=B,status=running,no=20 _time=1498217651,component=B,status=offline,no=40 _time=1498217652,component=B,status=offline,no=10 _time=1498217653,component=B,status=running,no=40"|makemv data |mvexpand data|eval _raw=data|kv|eval _time=time|stats values(no) as no by _time component status|eval{status}=no|fields - status - no

you can split each component into its own chart with the same query. Splunk does not currently have a way, that I know of, to allow for multi-level x-axis, like Excel does, and the trellis feature is a close second.

0 Karma
Reply

HeinzWaescher
Motivator
‎06-23-2017 12:18 AM

What about something like:

index=component_server
| timechart span=1m sum(No.), values(status) AS status by component
| fillnull value=0

0 Karma
Reply

arielpconsolaci
Path Finder
‎06-23-2017 02:26 AM

Thank you for this suggestion @HeinzWaescher. This however does not show the 'Status'.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-22-2017 10:26 PM

ok, please check this... as timechart by Status can be one idea.. please check the image. 

sourcetype="csvtest" | timechart span=1m sum(No) by Status | fillnull value=0

alt text

Preview file
1 KB
Reply

arielpconsolaci
Path Finder
‎06-23-2017 12:08 AM

Thank you for this, @inventsekar. However, i'd need a chart (based on component and status) close to the screenshot i've sent above.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-22-2017 09:30 PM

may we know your current splunk search query..
you can do some split by or layered/multi-stack options I think.
one question - how status can be embedded on this chart - is a tricky issue.

0 Karma
Reply

arielpconsolaci
Path Finder
‎06-22-2017 09:37 PM

Thank you for your response @inventsekar.

My query is as simple as below.

index=component_server
| timechart span=1m sum(No.) by Component
| fillnull value=0

Yes. I am having troubles incorporating the 'Status'. Can you advise on this?

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...