Solved: Rename row by data case at line chart

Questioner · ‎08-03-2023

I want to rename row value by data case. (It is line chart)

The line chart row name changed by token $value$

if value is "iron" -> row must rename as "metal" -> and graph line become "black"

if value is "steak" -> row must rename as "food". -> and graph line become "red"

so I wrote the code like this, but it's not work at all.

<search>
<query>
...
  |eval dt = case("$value$" == "iron", "metal", 1=1, "food")
  |rename "row 1" as dt
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>

How could I solve this problem?

ITWhisperer · ‎08-04-2023

<search>
<query>
...
  |eval dt = case("$value$" == "iron", "metal", 1=1, "food")
  |eval {dt}='row 1'
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>

View solution in original post

ITWhisperer · ‎08-04-2023

<search>
<query>
...
  |eval dt = case("$value$" == "iron", "metal", 1=1, "food")
  |eval {dt}='row 1'
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>

Questioner · ‎08-04-2023

I added this code under my code, but it show three rows 😢

row 1, "metal", "dt"

How could I solve this?

I added this line

<search>
<query>
...
  |sort total_time
  |transpose
  |eval dt = case("$value$" == "iron", "metal", 1=1, "food")
  |eval {dt}='row 1'
...
</query>
</search>
<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>

ITWhisperer · ‎08-04-2023

| fields - dt "row 1"

Questioner · ‎08-04-2023

OHHH There is something wrong my code.

It work!
Thank you for your help!!!😀

gcusello · ‎08-03-2023

Hi @Questioner,

could you share the full search? it isn't clear the algorithm you used.

Ciao.

Giuseppe

Questioner · ‎08-04-2023

<row>

<panel>

<chart>

<title>checking the making time</title>

<query>

| where make_end_time <= 50

| where amount != "None"

| where total_time <= 15

| where value_type = case("$v_type$"=="iron", 1, "$v_type$"=="steak", 2, 1=1, value_type)

| eval get_start_time = prepare - welcome

| eval wash_time = finish_wash - prepare

| eval make = make_time - finish_wash

| chart eval(round(avg(get_start_time), 3)) as "Start time" eval(round(avg(wash_time), 3)) as "cleaning" eval(round(avg(coook), 3)) as "making"

| sort total_time

|transpose

|rename "row 1" as "metal" |rename "row 2" as "food"</query>

</search>

<option name="charting.fieldColors">{"metal": 0xffffff, "food" : 0xFF0000}</option>

<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.axisTitleX.visibility">visible</option>

<option name="charting.axisTitleY.visibility">visible</option>

<option name="charting.axisTitleY2.visibility">visible</option>

<option name="charting.axisY.scale">linear</option>

<option name="charting.axisY2.scale">inherit</option>

<option name="charting.chart.stackMode">default</option>

<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>

<option name="charting.legend.mode">standard</option>

<option name="refresh.display">progressbar</option>

</chart>

</panel>

</row>

This is my origin code! The data will send to the server

Rename row by data case at line chart

chart

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...